target = "https://tools.ietf.org/rfc/rfc8446#D"

# Appendix D.  Backward Compatibility
#
# The TLS protocol provides a built-in mechanism for version
# negotiation between endpoints potentially supporting different
# versions of TLS.
# 
# TLS 1.x and SSL 3.0 use compatible ClientHello messages.  Servers can
# also handle clients trying to use future versions of TLS as long as
# the ClientHello format remains compatible and there is at least one
# protocol version supported by both the client and the server.
# 
# Prior versions of TLS used the record layer version number
# (TLSPlaintext.legacy_record_version and
# TLSCiphertext.legacy_record_version) for various purposes.  As of
# TLS 1.3, this field is deprecated.  The value of
# TLSPlaintext.legacy_record_version MUST be ignored by all
# implementations.  The value of TLSCiphertext.legacy_record_version is
# included in the additional data for deprotection but MAY otherwise be
# ignored or MAY be validated to match the fixed constant value.
# Version negotiation is performed using only the handshake versions
# (ClientHello.legacy_version and ServerHello.legacy_version, as well
# as the ClientHello, HelloRetryRequest, and ServerHello
# "supported_versions" extensions).  In order to maximize
# interoperability with older endpoints, implementations that negotiate
# the use of TLS 1.0-1.2 SHOULD set the record layer version number to
# the negotiated version for the ServerHello and all records
# thereafter.
# 
# For maximum compatibility with previously non-standard behavior and
# misconfigured deployments, all implementations SHOULD support
# validation of certification paths based on the expectations in this
# document, even when handling prior TLS versions' handshakes (see
# Section 4.4.2.2).
# 
# TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627]
# extension which digested large parts of the handshake transcript into
# the master secret.  Because TLS 1.3 always hashes in the transcript
# up to the server Finished, implementations which support both TLS 1.3
# and earlier versions SHOULD indicate the use of the Extended Master
# Secret extension in their APIs whenever TLS 1.3 is used.

[[spec]]
level = "MUST"
quote = '''
The value of
TLSPlaintext.legacy_record_version MUST be ignored by all
implementations.
'''

[[spec]]
level = "MAY"
quote = '''
The value of TLSCiphertext.legacy_record_version is
included in the additional data for deprotection but MAY otherwise be
ignored or MAY be validated to match the fixed constant value.
'''

[[spec]]
level = "MAY"
quote = '''
The value of TLSCiphertext.legacy_record_version is
included in the additional data for deprotection but MAY otherwise be
ignored or MAY be validated to match the fixed constant value.
'''

[[spec]]
level = "SHOULD"
quote = '''
In order to maximize
interoperability with older endpoints, implementations that negotiate
the use of TLS 1.0-1.2 SHOULD set the record layer version number to
the negotiated version for the ServerHello and all records
thereafter.
'''

[[spec]]
level = "SHOULD"
quote = '''
For maximum compatibility with previously non-standard behavior and
misconfigured deployments, all implementations SHOULD support
validation of certification paths based on the expectations in this
document, even when handling prior TLS versions' handshakes (see
Section 4.4.2.2).
'''

[[spec]]
level = "SHOULD"
quote = '''
Because TLS 1.3 always hashes in the transcript
up to the server Finished, implementations which support both TLS 1.3
and earlier versions SHOULD indicate the use of the Extended Master
Secret extension in their APIs whenever TLS 1.3 is used.
'''