!!! Overview
[{$pagename}] describes a Step within the [TLS Handshake] process.
The [TLS] [{$pagename}]
!! [TLS 1.3]
The [server] will send this message in response to a [ClientHello] message if it is able to find an acceptable set of parameters and the [ClientHello] contains sufficient information to proceed with the [TLS Handshake].
Structure of this message:
%%prettify
{{{
struct {
ProtocolVersion version;
Random random;
CipherSuite cipher_suite;
Extension extensions<6..2^16-1>;
} ServerHello;
}}} /%
version - This field contains the version of [TLS] negotiated for this connection. [Servers] [MUST] select a version from the list in [ClientHello]'s [supported_versions] extension, or otherwise negotiate [TLS 1.2] or previous. A client that receives a version that was not offered [MUST] abort the [TLS Handshake]. For this version of the specification, the version is 0x0304. (See Appendix D for details about backward compatibility.)
random - 32 bytes generated by a secure random number generator. See Appendix C for additional information. The last eight [bytes] [MUST] be overwritten as described below if negotiating [TLS 1.2] or [TLS 1.1]. This structure is generated by the server and [MUST] be generated independently of the [ClientHello].random.
[cipher_suite] - The single [cipher Suite] selected by the [server] from the list in [ClientHello].[cipher_suites]. A [client] which receives a [Cipher Suite] that was not offered [MUST] abort the [TLS Handshake].
[extensions|TLS extension] - A list of [extensions|TLS extension]. The [ServerHello] [MUST] only include [extensions|TLS extension] which are required to establish the [cryptographic] context. Currently the only such [extensions|TLS extension] are "[KeyShare]" and "[pre_shared_key]". All current [TLS 1.3] [ServerHello] messages will contain __one of these two [extensions|TLS extension]__, or both when using a [PSK] with (EC)DHE key establishment.
[TLS 1.3] has a downgrade protection mechanism embedded in the server's random value. [TLS 1.3] [servers] which negotiate [TLS 1.2] or below in response to a [ClientHello] [MUST] set the last eight bytes of their Random value specially.
If negotiating [TLS 1.2], [TLS 1.3] [servers] [MUST] set the last eight bytes of their Random value to the bytes:
%%prettify
{{{
44 4F 57 4E 47 52 44 01
}}} /%
If negotiating [TLS 1.1] or below, [TLS 1.3] [servers] [MUST] and [TLS 1.2] servers [SHOULD] set the last eight bytes of their Random value to the [bytes]:
%%prettify
{{{
44 4F 57 4E 47 52 44 00
}}} /%
[TLS 1.3] clients receiving a [TLS 1.2] or below [ServerHello] [MUST] check that the last eight bytes are not equal to either of these values.
TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake with an "illegal_parameter" alert. This mechanism provides limited protection against downgrade attacks over and above that provided by the Finished exchange: because the ServerKeyExchange, a message present in TLS 1.2 and below, includes a signature over both random values, it is not possible for an active attacker to modify the random values without detection as long as ephemeral ciphers are used. It does not provide downgrade protection when static RSA is used.
Note: This is a change from [RFC 5246], so in practice many [TLS 1.2] [clients] and [servers] will not behave as specified above.
A client that receives a [TLS 1.3] [ServerHello] during [TLS Renegotiation] [MUST] abort the [TLS Handshake] with a "[protocol_version]" [TLS Alert Message]. Note that [TLS Renegotiation] is only possible when a version of prior to [TLS 1.3] has been negotiated.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]