Overview#

ServerHello describes a Step within the TLS Handshake process.

The TLS ServerHello

TLS 1.3#

The server will send this message in response to a ClientHello message if it is able to find an acceptable set of parameters and the ClientHello contains sufficient information to proceed with the TLS Handshake.

Structure of this message:

struct {
    ProtocolVersion version;
    Random random;
    CipherSuite cipher_suite;
    Extension extensions<6..2^16-1>;
} ServerHello;
version - This field contains the version of TLS negotiated for this connection. Servers MUST select a version from the list in ClientHello's supported_versions extension, or otherwise negotiate TLS 1.2 or previous. A client that receives a version that was not offered MUST abort the TLS Handshake. For this version of the specification, the version is 0x0304. (See Appendix D for details about backward compatibility.)

random - 32 bytes generated by a secure random number generator. See Appendix C for additional information. The last eight bytes MUST be overwritten as described below if negotiating TLS 1.2 or TLS 1.1. This structure is generated by the server and MUST be generated independently of the ClientHello.random.

cipher_suite - The single cipher Suite selected by the server from the list in ClientHello.cipher_suites. A client which receives a Cipher Suite that was not offered MUST abort the TLS Handshake.

extensions - A list of extensions. The ServerHello MUST only include extensions which are required to establish the cryptographic context. Currently the only such extensions are "key_share" and "pre_shared_key". All current TLS 1.3 ServerHello messages will contain one of these two extensions, or both when using a PSK with (EC)DHE key establishment.

TLS 1.3 has a downgrade protection mechanism embedded in the server's random value. TLS 1.3 servers which negotiate TLS 1.2 or below in response to a ClientHello MUST set the last eight bytes of their Random value specially.

If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes of their Random value to the bytes:

44 4F 57 4E 47 52 44 01

If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2 servers SHOULD set the last eight bytes of their Random value to the bytes:

44 4F 57 4E 47 52 44 00

TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check that the last eight bytes are not equal to either of these values.

TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. This mechanism provides limited protection against downgrade attacks over and above that provided by the Finished exchange: because the ServerKeyExchange, a message present in TLS 1.2 and below, includes a signature over both random values, it is not possible for an active attacker to modify the random values without detection as long as ephemeral ciphers are used. It does not provide downgrade protection when static RSA is used.

Note: This is a change from RFC 5246, so in practice many TLS 1.2 clients and servers will not behave as specified above.

A client that receives a TLS 1.3 ServerHello during TLS Renegotiation MUST abort the TLS Handshake with a "protocol_version" TLS Alert Message. Note that TLS Renegotiation is only possible when a version of prior to TLS 1.3 has been negotiated.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 07-Jun-2017 13:35 by jim