SSL Labs test version intolerance does not always work #385
Labels
Comments
|
Handshake fails after client key exchange, change cipher spec stage. Should SSL Labs test for complete handshake? As we only check for the response serverhello - which seems appropriate in this case.
|
|
Yes, I think so. It seems this is a different problem, perhaps not intolerance, but a bug somewhere in the TLS stack. Still, the result is the same. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[Submitted on behalf of @hannob]
As you may know I'm currently trying to tackle the issue of TLS version intolerance. While the SSL Labs test has a check for version intolerance it doesn't always work.
Pages where this happens are e.g.:
For all of them the test shows "Version Intolerance: No", yet one can't establish a successful connection with an 1.3 handshake. (Please note: sometimes the www and the non-www-version behave differently.)
It seems the handshake here fails later on, your test probably only checks for the first serverhello.
You can test this with chrome canary, which already has preliminary 1.3 support. Install a current version of canary, go to chrome://flags and set "Maximum TLS version enabled" to "TLS 1.3".
The text was updated successfully, but these errors were encountered: