[gnutls-devel] GnuTLS | gnutls doesn't fallback to TLS1.2 automatically (#1053)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Aug 25 11:48:15 CEST 2020




Daiki Ueno commented:


Apologies for the delay. It seems that the GnuTLS client is sending TLSPlaintext with the legacy_record_version set to TLS 1.0. This is okay for the first Client Hello, but after Hello Retry Request the field must be set to TLS 1.2, according to the RFC:
```
   legacy_record_version:  MUST be set to 0x0303 for all records
      generated by a TLS 1.3 implementation other than an initial
      ClientHello (i.e., one not generated after a HelloRetryRequest),
      where it MAY also be 0x0301 for compatibility purposes.
```
If I manually modify the version in a GDB session (in `copy_record_version` in record.c), the command works as expected.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1053#note_401589913
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200825/6bfa0398/attachment-0001.html>


More information about the Gnutls-devel mailing list