target = "https://tools.ietf.org/rfc/rfc8446#4.1.3" # 4.1.3. Server Hello # # The server will send this message in response to a ClientHello # message to proceed with the handshake if it is able to negotiate an # acceptable set of handshake parameters based on the ClientHello. # # Structure of this message: # # struct { # ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */ # Random random; # opaque legacy_session_id_echo<0..32>; # CipherSuite cipher_suite; # uint8 legacy_compression_method = 0; # Extension extensions<6..2^16-1>; # } ServerHello; # # legacy_version: In previous versions of TLS, this field was used for # version negotiation and represented the selected version number # for the connection. Unfortunately, some middleboxes fail when # presented with new values. In TLS 1.3, the TLS server indicates # its version using the "supported_versions" extension # (Section 4.2.1), and the legacy_version field MUST be set to # 0x0303, which is the version number for TLS 1.2. (See Appendix D # for details about backward compatibility.) # # random: 32 bytes generated by a secure random number generator. See # Appendix C for additional information. The last 8 bytes MUST be # overwritten as described below if negotiating TLS 1.2 or TLS 1.1, # but the remaining bytes MUST be random. This structure is # generated by the server and MUST be generated independently of the # ClientHello.random. # # legacy_session_id_echo: The contents of the client's # legacy_session_id field. Note that this field is echoed even if # the client's value corresponded to a cached pre-TLS 1.3 session # which the server has chosen not to resume. A client which # receives a legacy_session_id_echo field that does not match what # it sent in the ClientHello MUST abort the handshake with an # "illegal_parameter" alert. # # cipher_suite: The single cipher suite selected by the server from # the list in ClientHello.cipher_suites. A client which receives a # cipher suite that was not offered MUST abort the handshake with an # "illegal_parameter" alert. # # legacy_compression_method: A single byte which MUST have the # value 0. # # extensions: A list of extensions. The ServerHello MUST only include # extensions which are required to establish the cryptographic # context and negotiate the protocol version. All TLS 1.3 # ServerHello messages MUST contain the "supported_versions" # extension. Current ServerHello messages additionally contain # either the "pre_shared_key" extension or the "key_share" # extension, or both (when using a PSK with (EC)DHE key # establishment). Other extensions (see Section 4.2) are sent # separately in the EncryptedExtensions message. # # For reasons of backward compatibility with middleboxes (see # Appendix D.4), the HelloRetryRequest message uses the same structure # as the ServerHello, but with Random set to the special value of the # SHA-256 of "HelloRetryRequest": # # CF 21 AD 74 E5 9A 61 11 BE 1D 8C 02 1E 65 B8 91 # C2 A2 11 16 7A BB 8C 5E 07 9E 09 E2 C8 A8 33 9C # # Upon receiving a message with type server_hello, implementations MUST # first examine the Random value and, if it matches this value, process # it as described in Section 4.1.4). # # TLS 1.3 has a downgrade protection mechanism embedded in the server's # random value. TLS 1.3 servers which negotiate TLS 1.2 or below in # response to a ClientHello MUST set the last 8 bytes of their Random # value specially in their ServerHello. # # If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of # their Random value to the bytes: # # 44 4F 57 4E 47 52 44 01 # # If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2 # servers SHOULD, set the last 8 bytes of their ServerHello.Random # value to the bytes: # # 44 4F 57 4E 47 52 44 00 # # TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below # MUST check that the last 8 bytes are not equal to either of these # values. TLS 1.2 clients SHOULD also check that the last 8 bytes are # not equal to the second value if the ServerHello indicates TLS 1.1 or # below. If a match is found, the client MUST abort the handshake with # an "illegal_parameter" alert. This mechanism provides limited # protection against downgrade attacks over and above what is provided # by the Finished exchange: because the ServerKeyExchange, a message # present in TLS 1.2 and below, includes a signature over both random # values, it is not possible for an active attacker to modify the # # random values without detection as long as ephemeral ciphers are # used. It does not provide downgrade protection when static RSA # is used. # # Note: This is a change from [RFC5246], so in practice many TLS 1.2 # clients and servers will not behave as specified above. # # A legacy TLS client performing renegotiation with TLS 1.2 or prior # and which receives a TLS 1.3 ServerHello during renegotiation MUST # abort the handshake with a "protocol_version" alert. Note that # renegotiation is not possible when TLS 1.3 has been negotiated. [[spec]] level = "MUST" quote = ''' In TLS 1.3, the TLS server indicates its version using the "supported_versions" extension (Section 4.2.1), and the legacy_version field MUST be set to 0x0303, which is the version number for TLS 1.2. ''' [[spec]] level = "MUST" quote = ''' The last 8 bytes MUST be overwritten as described below if negotiating TLS 1.2 or TLS 1.1, but the remaining bytes MUST be random. ''' [[spec]] level = "MUST" quote = ''' The last 8 bytes MUST be overwritten as described below if negotiating TLS 1.2 or TLS 1.1, but the remaining bytes MUST be random. ''' [[spec]] level = "MUST" quote = ''' This structure is generated by the server and MUST be generated independently of the ClientHello.random. ''' [[spec]] level = "MUST" quote = ''' A client which receives a legacy_session_id_echo field that does not match what it sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert. ''' [[spec]] level = "MUST" quote = ''' A client which receives a cipher suite that was not offered MUST abort the handshake with an "illegal_parameter" alert. ''' [[spec]] level = "MUST" quote = ''' legacy_compression_method: A single byte which MUST have the value 0. ''' [[spec]] level = "MUST" quote = ''' The ServerHello MUST only include extensions which are required to establish the cryptographic context and negotiate the protocol version. ''' [[spec]] level = "MUST" quote = ''' All TLS 1.3 ServerHello messages MUST contain the "supported_versions" extension. ''' [[spec]] level = "MUST" quote = ''' Upon receiving a message with type server_hello, implementations MUST first examine the Random value and, if it matches this value, process it as described in Section 4.1.4). ''' [[spec]] level = "MUST" quote = ''' TLS 1.3 servers which negotiate TLS 1.2 or below in response to a ClientHello MUST set the last 8 bytes of their Random value specially in their ServerHello. ''' [[spec]] level = "MUST" quote = ''' If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of their Random value to the bytes: ''' [[spec]] level = "MUST" quote = ''' If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2 servers SHOULD, set the last 8 bytes of their ServerHello.Random value to the bytes: ''' [[spec]] level = "MUST" quote = ''' TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of these values. ''' [[spec]] level = "SHOULD" quote = ''' TLS 1.2 clients SHOULD also check that the last 8 bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. ''' [[spec]] level = "MUST" quote = ''' If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. ''' [[spec]] level = "MUST" quote = ''' A legacy TLS client performing renegotiation with TLS 1.2 or prior and which receives a TLS 1.3 ServerHello during renegotiation MUST abort the handshake with a "protocol_version" alert. '''