commit df0891d894144cdb65e24b6a41ef028b65331a01
author Kazuho Oku <kazuhooku@gmail.com> Tue Nov 22 13:43:41 2022 +0900
committer Kazuho Oku <kazuhooku@gmail.com> Tue Nov 22 13:43:41 2022 +0900
tree 7f29f3b43b7eae969cd8fb27667339f5a444f644
parent a9ac00779b78f16c793db0819aec3c17a5940fc4

CHinner MUST NOT offer tls 1.2 or below

lib/picotls.c

diff --git a/lib/picotls.c b/lib/picotls.c
index 8f4200b..fabd26c 100644
--- a/lib/picotls.c
+++ b/lib/picotls.c
@@ -3730,8 +3730,12 @@
     if (is_second_flight && !ptls_mem_equal(ch->random_bytes, prev_random, PTLS_HELLO_RANDOM_SIZE))
         return PTLS_ALERT_HANDSHAKE_FAILURE;
 
-    /* bail out if CH cannot be handled as TLS 1.3, providing the application the raw CH and SNI, to help them fallback */
+    /* bail out if CH cannot be handled as TLS 1.3 */
     if (!is_supported_version(ch->selected_version)) {
+        /* ECH: server MUST abort with an "illegal_parameter" alert if the client offers TLS 1.2 or below (draft-15 7.1) */
+        if (ech_is_inner_ch)
+            return PTLS_ALERT_ILLEGAL_PARAMETER;
+        /* fail with PROTOCOL_VERSION alert, after providing the applications the raw CH and SNI to help them fallback */
         if (!is_second_flight && ctx->on_client_hello != NULL) {
             ptls_on_client_hello_parameters_t params = {
                 .server_name = ch->server_name,