target = "https://tools.ietf.org/rfc/rfc8446#4.1.4" # 4.1.4. Hello Retry Request # # The server will send this message in response to a ClientHello # message if it is able to find an acceptable set of parameters but the # ClientHello does not contain sufficient information to proceed with # the handshake. As discussed in Section 4.1.3, the HelloRetryRequest # has the same format as a ServerHello message, and the legacy_version, # legacy_session_id_echo, cipher_suite, and legacy_compression_method # fields have the same meaning. However, for convenience we discuss # "HelloRetryRequest" throughout this document as if it were a distinct # message. # # The server's extensions MUST contain "supported_versions". # Additionally, it SHOULD contain the minimal set of extensions # necessary for the client to generate a correct ClientHello pair. As # with the ServerHello, a HelloRetryRequest MUST NOT contain any # extensions that were not first offered by the client in its # ClientHello, with the exception of optionally the "cookie" (see # Section 4.2.2) extension. # # Upon receipt of a HelloRetryRequest, the client MUST check the # legacy_version, legacy_session_id_echo, cipher_suite, and # legacy_compression_method as specified in Section 4.1.3 and then # process the extensions, starting with determining the version using # "supported_versions". Clients MUST abort the handshake with an # "illegal_parameter" alert if the HelloRetryRequest would not result # in any change in the ClientHello. If a client receives a second # HelloRetryRequest in the same connection (i.e., where the ClientHello # was itself in response to a HelloRetryRequest), it MUST abort the # handshake with an "unexpected_message" alert. # # Otherwise, the client MUST process all extensions in the # HelloRetryRequest and send a second updated ClientHello. The # HelloRetryRequest extensions defined in this specification are: # # - supported_versions (see Section 4.2.1) # # - cookie (see Section 4.2.2) # # - key_share (see Section 4.2.8) # # A client which receives a cipher suite that was not offered MUST # abort the handshake. Servers MUST ensure that they negotiate the # same cipher suite when receiving a conformant updated ClientHello (if # the server selects the cipher suite as the first step in the # negotiation, then this will happen automatically). Upon receiving # the ServerHello, clients MUST check that the cipher suite supplied in # the ServerHello is the same as that in the HelloRetryRequest and # otherwise abort the handshake with an "illegal_parameter" alert. # # In addition, in its updated ClientHello, the client SHOULD NOT offer # any pre-shared keys associated with a hash other than that of the # selected cipher suite. This allows the client to avoid having to # compute partial hash transcripts for multiple hashes in the second # ClientHello. # # The value of selected_version in the HelloRetryRequest # "supported_versions" extension MUST be retained in the ServerHello, # and a client MUST abort the handshake with an "illegal_parameter" # alert if the value changes. [[spec]] level = "MUST" quote = ''' The server's extensions MUST contain "supported_versions". ''' [[spec]] level = "SHOULD" quote = ''' Additionally, it SHOULD contain the minimal set of extensions necessary for the client to generate a correct ClientHello pair. ''' [[spec]] level = "MUST" quote = ''' As with the ServerHello, a HelloRetryRequest MUST NOT contain any extensions that were not first offered by the client in its ClientHello, with the exception of optionally the "cookie" (see Section 4.2.2) extension. ''' [[spec]] level = "MUST" quote = ''' Upon receipt of a HelloRetryRequest, the client MUST check the legacy_version, legacy_session_id_echo, cipher_suite, and legacy_compression_method as specified in Section 4.1.3 and then process the extensions, starting with determining the version using "supported_versions". ''' [[spec]] level = "MUST" quote = ''' Clients MUST abort the handshake with an "illegal_parameter" alert if the HelloRetryRequest would not result in any change in the ClientHello. ''' [[spec]] level = "MUST" quote = ''' If a client receives a second HelloRetryRequest in the same connection (i.e., where the ClientHello was itself in response to a HelloRetryRequest), it MUST abort the handshake with an "unexpected_message" alert. ''' [[spec]] level = "MUST" quote = ''' Otherwise, the client MUST process all extensions in the HelloRetryRequest and send a second updated ClientHello. ''' [[spec]] level = "MUST" quote = ''' A client which receives a cipher suite that was not offered MUST abort the handshake. ''' [[spec]] level = "MUST" quote = ''' Servers MUST ensure that they negotiate the same cipher suite when receiving a conformant updated ClientHello (if the server selects the cipher suite as the first step in the negotiation, then this will happen automatically). ''' [[spec]] level = "MUST" quote = ''' Upon receiving the ServerHello, clients MUST check that the cipher suite supplied in the ServerHello is the same as that in the HelloRetryRequest and otherwise abort the handshake with an "illegal_parameter" alert. ''' [[spec]] level = "SHOULD" quote = ''' In addition, in its updated ClientHello, the client SHOULD NOT offer any pre-shared keys associated with a hash other than that of the selected cipher suite. ''' [[spec]] level = "MUST" quote = ''' The value of selected_version in the HelloRetryRequest "supported_versions" extension MUST be retained in the ServerHello, and a client MUST abort the handshake with an "illegal_parameter" alert if the value changes. ''' [[spec]] level = "MUST" quote = ''' The value of selected_version in the HelloRetryRequest "supported_versions" extension MUST be retained in the ServerHello, and a client MUST abort the handshake with an "illegal_parameter" alert if the value changes. '''