zlacker

The fix should not have been reversion. The fix should have been a simple workaround that if the connection fails totally and no downgrade handshake attempt was made, make a new connection using 1.2 to start with, which would succeed and the connection opened. This would be equivalent to a downgrade handshake from 1.3 to 1.2 but without requiring all products support 1.3.

>>peterw+(OP)
The problem with this fix is that then as long as you have the fallback, the user gains none of the security properties of TLS 1.3 (since the attacker can always force a downgrade by sending junk to the client during the handshake) and has the additional cost of a second TLS negotiation.

While there was previously this "TLS fallback" implemented in Chrome to work around buggy endpoints, this was primarily due to buggy endpoints* which was a much larger issue and difficult to fix, while these middlebox issues affect a much smaller portion of users and we're hopeful that the middlebox vendors that have issues can fix their software in a more timely manner.

* TLS 1.3 moves the version negotiation into an extension, which means that old buggy servers will only ever know about TLS 1.2 and below for negotiation purposes and won't break in a new matter with TLS 1.3.

>>dvorak+Dd
Am I not correct that 1.3 got backed out of chrome for the current issue? So 1.3 isn't even there now... Which breaks anything that explicitly requires 1.3. My fix would support all cases and not break anything. Unless I missed something?

>>peterw+Oz
Nothing can require 1.3, since 1.3 isn't finished yet. They were doing interoperability testing with a draft version of TLS 1.3, and nobody should require a draft version of TLS 1.3 without having a fallback to TLS 1.2.