aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc/src')
-rw-r--r--lib/ssl/doc/src/notes.xml49
-rw-r--r--lib/ssl/doc/src/standards_compliance.xml408
2 files changed, 263 insertions, 194 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 29bf5fc4e7..f320b4c006 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -179,6 +179,55 @@
</section>
+<section><title>SSL 9.2.3.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct handshake handling, might cause strange symptoms
+ such as ASN.1 certificate decoding issues.</p>
+ <p>
+ Own Id: OTP-15879 Aux Id: ERL-968 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 9.2.3.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Returned "alert error string" is now same as logged alert
+ string</p>
+ <p>
+ Own Id: OTP-15844</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 9.2.3.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct solution for retaining tcp flow control OTP-15802
+ (ERL-934) as to not break ssl:recv as reported in
+ (ERL-938)</p>
+ <p>
+ Own Id: OTP-15823 Aux Id: ERL-934, ERL-938 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>SSL 9.2.3</title>
<section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/doc/src/standards_compliance.xml b/lib/ssl/doc/src/standards_compliance.xml
index ca98385f85..3a472d4776 100644
--- a/lib/ssl/doc/src/standards_compliance.xml
+++ b/lib/ssl/doc/src/standards_compliance.xml
@@ -126,10 +126,10 @@
<section>
<title>TLS 1.3</title>
- <p>OTP-22 introduces basic support for TLS 1.3 on the server side. Basic functionality
+ <p>OTP-22 introduces basic support for TLS 1.3. Basic functionality
covers a simple TLS 1.3 handshake with support of the mandatory extensions
(supported_groups, signature_algorithms, key_share, supported_versions and
- signature_algorithms_cert). The server supports a selective set of cryptographic algorithms:</p>
+ signature_algorithms_cert). The current implementation supports a selective set of cryptographic algorithms:</p>
<list type="bulleted">
<item>Key Exchange: ECDHE</item>
<item>Groups: all standard groups supported for the Diffie-Hellman key exchange</item>
@@ -140,15 +140,12 @@
</list>
<p>Other notable features:</p>
<list type="bulleted">
- <item>The server supports the HelloRetryRequest mechanism</item>
<item>PSK and session resumption not supported</item>
<item>Early data and 0-RTT not supported</item>
<item>Key and Initialization Vector Update not supported</item>
</list>
<p>For more detailed information see the
<seealso marker="#soc_table">Standards Compliance</seealso> below.</p>
- <warning><p>Note that the client side is not yet functional. It is planned to be released
- later in OTP-22.</p></warning>
<p> The following table describes the current state of standards compliance for TLS 1.3.</p>
<p>(<em>C</em> = Compliant, <em>NC</em> = Non-Compliant, <em>PC</em> = Partially-Compliant,
@@ -176,25 +173,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection mechanism</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">RSASSA-PSS signature schemes</cell>
<cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (ClientHello) extension</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert extension</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -211,7 +208,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">(EC)DHE</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -295,8 +292,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -319,14 +316,14 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_groups (RFC7919)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -343,8 +340,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">application_layer_protocol_negotiation (RFC7301)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -373,8 +370,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -403,8 +400,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -427,8 +424,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -459,13 +456,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_groups (RFC7919)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -482,8 +479,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">application_layer_protocol_negotiation (RFC7301)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -513,7 +510,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -543,7 +540,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -567,7 +564,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -577,20 +574,20 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -601,8 +598,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -615,13 +612,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -633,7 +630,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -650,7 +647,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -662,7 +659,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -672,8 +669,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -706,26 +703,26 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -748,20 +745,20 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -796,14 +793,14 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_sha1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -816,19 +813,19 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha512</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -852,19 +849,19 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha512</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -900,13 +897,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_sha1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -967,68 +964,68 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp256r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp384r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp521r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">x25519</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">x448</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe2048</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe3072</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe4096</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe6144</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe8192</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -1105,8 +1102,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1224,8 +1221,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1362,8 +1359,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1374,8 +1371,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1398,8 +1395,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -1417,8 +1414,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1441,8 +1438,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1463,8 +1460,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1521,73 +1518,82 @@
4.4.2.2. Server Certificate Selection
</url>
</cell>
- <cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate type MUST be X.509v3</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The certificate type MUST be X.509v3, unless explicitly
+ negotiated otherwise</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate's public key is compatible</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The server's end-entity certificate's public key (and associated
+ restrictions) MUST be compatible with the selected authentication
+ algorithm from the client's "signature_algorithms" extension
+ (currently RSA, ECDSA, or EdDSA).</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing
+ with a signature scheme indicated in the client's "signature_algorithms"/"signature_algorithms_cert"
+ extensions</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">server_name and certificate_authorities are used</cell>
+ <cell align="left" valign="middle">The "server_name" and "certificate_authorities"
+ extensions are used to guide certificate selection. As servers
+ MAY require the presence of the "server_name" extension, clients
+ SHOULD send this extension, when applicable.</cell>
<cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"></cell>
</row>
<row>
- <cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle"><em>Server</em></cell>
+ <cell align="left" valign="middle">
+ <url href="https://tools.ietf.org/html/rfc8446#section-4.4.2.3">
+ 4.4.2.3. Client Certificate Selection
+ </url>
+ </cell>
+ <cell align="left" valign="middle"><em></em></cell>
<cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate type MUST be X.509v3</cell>
+ <cell align="left" valign="middle">The certificate type MUST be X.509v3, unless explicitly
+ negotiated otherwise</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate's public key is compatible</cell>
- <cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle">If the "certificate_authorities" extension in the
+ CertificateRequest message was present, at least one of the
+ certificates in the certificate chain SHOULD be issued by one of
+ the listed CAs.</cell>
+ <cell align="left" valign="middle"><em>NC</em></cell>
+ <cell align="left" valign="middle"><em></em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing</cell>
+ <cell align="left" valign="middle">The certificates MUST be signed using an acceptable signature
+ algorithm</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">server_name and certificate_authorities are used</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
- </row>
-
- <row>
- <cell align="left" valign="middle">
- <url href="https://tools.ietf.org/html/rfc8446#section-4.4.2.3">
- 4.4.2.3. Client Certificate Selection
- </url>
- </cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">If the CertificateRequest message contained a non-empty
+ "oid_filters" extension, the end-entity certificate MUST match the
+ extension OIDs that are recognized by the client</cell>
<cell align="left" valign="middle"><em>NC</em></cell>
<cell align="left" valign="middle"><em></em></cell>
</row>
@@ -1599,8 +1605,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1616,8 +1622,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1633,8 +1639,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1738,25 +1744,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT be interleaved with other record types</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT span key changes</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT send zero-length fragments</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Alert messages MUST NOT be fragmented</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1807,7 +1813,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">The padding sent is automatically verified</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1957,19 +1963,19 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST implement the TLS_AES_128_GCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD implement the TLS_AES_256_GCM_SHA384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD implement the TLS_CHACHA20_POLY1305_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1982,13 +1988,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support rsa_pkcs1_sha256 (for certificates)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support rsa_pss_rsae_sha256 (for CertificateVerify and certificates)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2007,13 +2013,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support key exchange with secp256r1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD support key exchange with X25519</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -2030,7 +2036,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Supported Versions</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2042,25 +2048,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Signature Algorithms</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Signature Algorithms Certificate</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Negotiated Groups</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Key Share</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2072,32 +2078,32 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>MUST send and use these extensions</em></cell>
- <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
<cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"supported_versions" is REQUIRED for ClientHello, ServerHello and HelloRetryRequest</cell>
- <cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"signature_algorithms" is REQUIRED for certificate authentication</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"supported_groups" is REQUIRED for ClientHello messages using (EC)DHE key exchange</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"key_share" is REQUIRED for (EC)DHE key exchange</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2115,20 +2121,20 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>TLS 1.3 ClientHello</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">If not containing a "pre_shared_key" extension, it MUST contain both a "signature_algorithms" extension and a "supported_groups" extension.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -2151,30 +2157,44 @@
</url>
</cell>
<cell align="left" valign="middle"><em></em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>MUST correctly handle extensible fields</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A client sending a ClientHello MUST support all parameters advertised in it.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle">A client sending a ClientHello MUST support all parameters
+ advertised in it. Otherwise, the server may fail to interoperate by selecting one of those parameters.</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A middlebox which terminates a TLS connection MUST behave as a compliant TLS server</cell>
+ <cell align="left" valign="middle">A server receiving a ClientHello MUST correctly ignore all
+ unrecognized cipher suites, extensions, and other parameters. Otherwise, it may fail to
+ interoperate with newer clients. In TLS 1.3, a client receiving a CertificateRequest or
+ NewSessionTicket MUST also ignore all unrecognized extensions.</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle">A middlebox which terminates a TLS connection MUST behave as a
+ compliant TLS server</cell>
<cell align="left" valign="middle"><em>NA</em></cell>
<cell align="left" valign="middle"></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A middlebox which forwards ClientHello parameters it does not understand MUST NOT process any messages beyond that ClientHello.</cell>
+ <cell align="left" valign="middle">A middlebox which forwards ClientHello parameters it does not
+ understand MUST NOT process any messages beyond that ClientHello. It MUST forward all subsequent
+ traffic unmodified. Otherwise, it may fail to interoperate with newer clients and servers.</cell>
<cell align="left" valign="middle"><em>NA</em></cell>
<cell align="left" valign="middle"></cell>
</row>
@@ -2193,25 +2213,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_128_GCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_256_GCM_SHA384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_CHACHA20_POLY1305_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_128_CCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>