<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div>

<p dir="auto">Thank you Robert for bringing that up. Is that the issue we discussed at: <a href="https://github.com/tomato42/tlsfuzzer/issues/398" rel="nofollow noreferrer noopener" target="_blank">https://github.com/tomato42/tlsfuzzer/issues/398</a></p>

<p dir="auto">If yes, I think my reply to that is still relevant, and I'm not sure we want to address it. Quoting below</p>

<blockquote dir="auto">

<p>To add some context this test is about the <a href="https://tools.ietf.org/html/rfc8446#section-4.1.2" rel="nofollow noreferrer noopener" target="_blank">https://tools.ietf.org/html/rfc8446#section-4.1.2</a> requirement:</p>

</blockquote>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">   The client will also send a </span>

<span id="LC2" class="line" lang="plaintext">   ClientHello when the server has responded to its ClientHello with a</span>

<span id="LC3" class="line" lang="plaintext">   HelloRetryRequest.  In that case, the client MUST send the same</span>

<span id="LC4" class="line" lang="plaintext">   ClientHello without modification, except as follows:</span>

<span id="LC5" class="line" lang="plaintext"></span>

<span id="LC6" class="line" lang="plaintext">   -  If a "key_share" extension was supplied in the HelloRetryRequest,</span>

<span id="LC7" class="line" lang="plaintext">      replacing the list of shares with a list containing a single</span>

<span id="LC8" class="line" lang="plaintext">      KeyShareEntry from the indicated group.</span>

<span id="LC9" class="line" lang="plaintext"></span>

<span id="LC10" class="line" lang="plaintext">   -  Removing the "early_data" extension (Section 4.2.10) if one was</span>

<span id="LC11" class="line" lang="plaintext">      present.  Early data is not permitted after a HelloRetryRequest.</span>

<span id="LC12" class="line" lang="plaintext"></span>

<span id="LC13" class="line" lang="plaintext">   -  Including a "cookie" extension if one was provided in the</span>

<span id="LC14" class="line" lang="plaintext">      HelloRetryRequest.</span>

<span id="LC15" class="line" lang="plaintext"></span>

<span id="LC16" class="line" lang="plaintext">   -  Updating the "pre_shared_key" extension if present by recomputing</span>

<span id="LC17" class="line" lang="plaintext">      the "obfuscated_ticket_age" and binder values and (optionally)</span>

<span id="LC18" class="line" lang="plaintext">      removing any PSKs which are incompatible with the server's</span>

<span id="LC19" class="line" lang="plaintext">      indicated cipher suite.</span>

<span id="LC20" class="line" lang="plaintext"></span>

<span id="LC21" class="line" lang="plaintext">   -  Optionally adding, removing, or changing the length of the</span>

<span id="LC22" class="line" lang="plaintext">      "padding" extension [RFC7685].</span>

<span id="LC23" class="line" lang="plaintext"></span>

<span id="LC24" class="line" lang="plaintext">   -  Other modifications that may be allowed by an extension defined in</span>

<span id="LC25" class="line" lang="plaintext">      the future and present in the HelloRetryRequest.</span></code></pre>

<blockquote dir="auto">

<p>So that's a nice test to verify whether the server enforces that behavior (like tlslite-ng), but since the MUST is on the client to follow the rules, and not on the server to enforce, both behaviors look acceptable.</p>

</blockquote>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/617#note_117126565">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/4ed838f91a31584b9aae26c9ce0355d7/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/617#note_117126565"}}</script>

</p>

</div>

</body>

</html>