aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/doc')
-rw-r--r--lib/ssl/doc/src/notes.xml96
-rw-r--r--lib/ssl/doc/src/standards_compliance.xml450
2 files changed, 332 insertions, 214 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 29bf5fc4e7..c7a0942932 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -27,6 +27,37 @@
</header>
<p>This document describes the changes made to the SSL application.</p>
+<section><title>SSL 9.3.4</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Fix handling of certificate decoding problems in TLS 1.3
+ similarly as in TLS 1.2.</p>
+ <p>
+ Own Id: OTP-15900</p>
+ </item>
+ <item>
+ <p>
+ Hibernation now works as expected in all cases, was
+ accidently broken by optimization efforts.</p>
+ <p>
+ Own Id: OTP-15910</p>
+ </item>
+ <item>
+ <p>
+ Fix interoperability problems with openssl when the TLS
+ 1.3 server is configured wirh the option
+ signature_algs_cert.</p>
+ <p>
+ Own Id: OTP-15913</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>SSL 9.3.3</title>
<section><title>Fixed Bugs and Malfunctions</title>
@@ -179,6 +210,71 @@
</section>
+<section><title>SSL 9.2.3.4</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Hibernation now works as expected in all cases, was
+ accidently broken by optimization efforts.</p>
+ <p>
+ Own Id: OTP-15910</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 9.2.3.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct handshake handling, might cause strange symptoms
+ such as ASN.1 certificate decoding issues.</p>
+ <p>
+ Own Id: OTP-15879 Aux Id: ERL-968 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 9.2.3.2</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Returned "alert error string" is now same as logged alert
+ string</p>
+ <p>
+ Own Id: OTP-15844</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>SSL 9.2.3.1</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Correct solution for retaining tcp flow control OTP-15802
+ (ERL-934) as to not break ssl:recv as reported in
+ (ERL-938)</p>
+ <p>
+ Own Id: OTP-15823 Aux Id: ERL-934, ERL-938 </p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
<section><title>SSL 9.2.3</title>
<section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/doc/src/standards_compliance.xml b/lib/ssl/doc/src/standards_compliance.xml
index ca98385f85..9df48b99d3 100644
--- a/lib/ssl/doc/src/standards_compliance.xml
+++ b/lib/ssl/doc/src/standards_compliance.xml
@@ -126,29 +126,28 @@
<section>
<title>TLS 1.3</title>
- <p>OTP-22 introduces basic support for TLS 1.3 on the server side. Basic functionality
+ <p>OTP-22 introduces basic support for TLS 1.3. Basic functionality
covers a simple TLS 1.3 handshake with support of the mandatory extensions
(supported_groups, signature_algorithms, key_share, supported_versions and
- signature_algorithms_cert). The server supports a selective set of cryptographic algorithms:</p>
+ signature_algorithms_cert). The current implementation supports a selective set of cryptographic algorithms:</p>
<list type="bulleted">
<item>Key Exchange: ECDHE</item>
<item>Groups: all standard groups supported for the Diffie-Hellman key exchange</item>
<item>Ciphers: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_CCM_SHA256</item>
- <item>Signature Algorithms: RSA and RSA PSS</item>
- <item>Certificates: currently only certificates with RSA keys are supported</item>
+ <item>Signature Algorithms: rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
+ ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
+ rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha1 and ecdsa_sha1</item>
+ <item>Certificates: RSA (it MUST use the rsaEncryption OID) and ECDSA keys</item>
</list>
<p>Other notable features:</p>
<list type="bulleted">
- <item>The server supports the HelloRetryRequest mechanism</item>
<item>PSK and session resumption not supported</item>
<item>Early data and 0-RTT not supported</item>
<item>Key and Initialization Vector Update not supported</item>
</list>
<p>For more detailed information see the
<seealso marker="#soc_table">Standards Compliance</seealso> below.</p>
- <warning><p>Note that the client side is not yet functional. It is planned to be released
- later in OTP-22.</p></warning>
<p> The following table describes the current state of standards compliance for TLS 1.3.</p>
<p>(<em>C</em> = Compliant, <em>NC</em> = Non-Compliant, <em>PC</em> = Partially-Compliant,
@@ -176,25 +175,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection mechanism</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">RSASSA-PSS signature schemes</cell>
<cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (ClientHello) extension</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert extension</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -211,7 +210,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">(EC)DHE</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -295,8 +294,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -319,14 +318,14 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_groups (RFC7919)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -343,8 +342,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">application_layer_protocol_negotiation (RFC7301)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -373,8 +372,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -403,8 +402,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -427,8 +426,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -459,13 +458,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_groups (RFC7919)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -482,8 +481,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">application_layer_protocol_negotiation (RFC7301)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -513,7 +512,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -543,7 +542,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -567,7 +566,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -577,20 +576,20 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -601,8 +600,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -615,13 +614,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Version downgrade protection</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -633,7 +632,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -650,7 +649,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">key_share (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -662,7 +661,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">supported_versions (RFC8446)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -672,8 +671,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -706,62 +705,62 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp256r1_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp384r1_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp521r1_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -796,14 +795,14 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_sha1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -816,55 +815,55 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha512</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp256r1_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp384r1_sha384</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_secp521r1_sha512</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pss_rsae_sha512</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -900,13 +899,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">rsa_pkcs1_sha1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ecdsa_sha1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -967,68 +966,68 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp256r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp384r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">secp521r1</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">x25519</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">x448</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe2048</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe3072</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe4096</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe6144</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">ffdhe8192</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -1105,8 +1104,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1224,8 +1223,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1362,8 +1361,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1374,8 +1373,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1398,8 +1397,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -1417,8 +1416,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1441,8 +1440,8 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">signature_algorithms_cert (RFC8446)</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1463,8 +1462,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1521,73 +1520,82 @@
4.4.2.2. Server Certificate Selection
</url>
</cell>
- <cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate type MUST be X.509v3</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The certificate type MUST be X.509v3, unless explicitly
+ negotiated otherwise</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate's public key is compatible</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The server's end-entity certificate's public key (and associated
+ restrictions) MUST be compatible with the selected authentication
+ algorithm from the client's "signature_algorithms" extension
+ (currently RSA, ECDSA, or EdDSA).</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing
+ with a signature scheme indicated in the client's "signature_algorithms"/"signature_algorithms_cert"
+ extensions</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">server_name and certificate_authorities are used</cell>
+ <cell align="left" valign="middle">The "server_name" and "certificate_authorities"
+ extensions are used to guide certificate selection. As servers
+ MAY require the presence of the "server_name" extension, clients
+ SHOULD send this extension, when applicable.</cell>
<cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"></cell>
</row>
<row>
- <cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle"><em>Server</em></cell>
+ <cell align="left" valign="middle">
+ <url href="https://tools.ietf.org/html/rfc8446#section-4.4.2.3">
+ 4.4.2.3. Client Certificate Selection
+ </url>
+ </cell>
+ <cell align="left" valign="middle"><em></em></cell>
<cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate type MUST be X.509v3</cell>
+ <cell align="left" valign="middle">The certificate type MUST be X.509v3, unless explicitly
+ negotiated otherwise</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">certificate's public key is compatible</cell>
- <cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle">If the "certificate_authorities" extension in the
+ CertificateRequest message was present, at least one of the
+ certificates in the certificate chain SHOULD be issued by one of
+ the listed CAs.</cell>
+ <cell align="left" valign="middle"><em>NC</em></cell>
+ <cell align="left" valign="middle"><em></em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">The certificate MUST allow the key to be used for signing</cell>
+ <cell align="left" valign="middle">The certificates MUST be signed using an acceptable signature
+ algorithm</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">server_name and certificate_authorities are used</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
- </row>
-
- <row>
- <cell align="left" valign="middle">
- <url href="https://tools.ietf.org/html/rfc8446#section-4.4.2.3">
- 4.4.2.3. Client Certificate Selection
- </url>
- </cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle">If the CertificateRequest message contained a non-empty
+ "oid_filters" extension, the end-entity certificate MUST match the
+ extension OIDs that are recognized by the client</cell>
<cell align="left" valign="middle"><em>NC</em></cell>
<cell align="left" valign="middle"><em></em></cell>
</row>
@@ -1599,8 +1607,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1616,8 +1624,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1633,8 +1641,8 @@
</url>
</cell>
<cell align="left" valign="middle"><em>Client</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -1738,25 +1746,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT be interleaved with other record types</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT span key changes</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST NOT send zero-length fragments</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Alert messages MUST NOT be fragmented</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1807,7 +1815,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">The padding sent is automatically verified</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -1950,51 +1958,51 @@
</url>
</cell>
<cell align="left" valign="middle"><em></em></cell>
- <cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST implement the TLS_AES_128_GCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD implement the TLS_AES_256_GCM_SHA384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD implement the TLS_CHACHA20_POLY1305_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>Digital signatures</em></cell>
- <cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle"><em>22</em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support rsa_pkcs1_sha256 (for certificates)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support rsa_pss_rsae_sha256 (for CertificateVerify and certificates)</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support ecdsa_secp256r1_sha256</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -2007,13 +2015,13 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">MUST support key exchange with secp256r1</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">SHOULD support key exchange with X25519</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
@@ -2030,7 +2038,7 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Supported Versions</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2042,25 +2050,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Signature Algorithms</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Signature Algorithms Certificate</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Negotiated Groups</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">Key Share</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2072,32 +2080,32 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>MUST send and use these extensions</em></cell>
- <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>PC</em></cell>
<cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"supported_versions" is REQUIRED for ClientHello, ServerHello and HelloRetryRequest</cell>
- <cell align="left" valign="middle"><em>PC</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"signature_algorithms" is REQUIRED for certificate authentication</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"supported_groups" is REQUIRED for ClientHello messages using (EC)DHE key exchange</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">"key_share" is REQUIRED for (EC)DHE key exchange</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
@@ -2115,20 +2123,20 @@
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>TLS 1.3 ClientHello</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">If not containing a "pre_shared_key" extension, it MUST contain both a "signature_algorithms" extension and a "supported_groups" extension.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
@@ -2151,30 +2159,44 @@
</url>
</cell>
<cell align="left" valign="middle"><em></em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle"><em>MUST correctly handle extensible fields</em></cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"><em></em></cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A client sending a ClientHello MUST support all parameters advertised in it.</cell>
- <cell align="left" valign="middle"><em>NC</em></cell>
- <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle">A client sending a ClientHello MUST support all parameters
+ advertised in it. Otherwise, the server may fail to interoperate by selecting one of those parameters.</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A middlebox which terminates a TLS connection MUST behave as a compliant TLS server</cell>
+ <cell align="left" valign="middle">A server receiving a ClientHello MUST correctly ignore all
+ unrecognized cipher suites, extensions, and other parameters. Otherwise, it may fail to
+ interoperate with newer clients. In TLS 1.3, a client receiving a CertificateRequest or
+ NewSessionTicket MUST also ignore all unrecognized extensions.</cell>
+ <cell align="left" valign="middle"><em>C</em></cell>
+ <cell align="left" valign="middle"><em>22.1</em></cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle"></cell>
+ <cell align="left" valign="middle">A middlebox which terminates a TLS connection MUST behave as a
+ compliant TLS server</cell>
<cell align="left" valign="middle"><em>NA</em></cell>
<cell align="left" valign="middle"></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
- <cell align="left" valign="middle">A middlebox which forwards ClientHello parameters it does not understand MUST NOT process any messages beyond that ClientHello.</cell>
+ <cell align="left" valign="middle">A middlebox which forwards ClientHello parameters it does not
+ understand MUST NOT process any messages beyond that ClientHello. It MUST forward all subsequent
+ traffic unmodified. Otherwise, it may fail to interoperate with newer clients and servers.</cell>
<cell align="left" valign="middle"><em>NA</em></cell>
<cell align="left" valign="middle"></cell>
</row>
@@ -2193,25 +2215,25 @@
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_128_GCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_256_GCM_SHA384</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_CHACHA20_POLY1305_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
<cell align="left" valign="middle">TLS_AES_128_CCM_SHA256</cell>
<cell align="left" valign="middle"><em>C</em></cell>
- <cell align="left" valign="middle">22</cell>
+ <cell align="left" valign="middle"><em>22</em></cell>
</row>
<row>
<cell align="left" valign="middle"></cell>
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-25 01:24:30 +0000