tls13_hrr_then_tls12_second_client_hello: Improve some comments

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2026-05-11 06:28:17 +02:00 · 2026-03-10 15:40:00 +01:00
parent a76e7c65bc
commit 7b3af46c40
1 changed files with 7 additions and 4 deletions
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -6045,7 +6045,8 @@ void tls13_hrr_then_tls12_second_client_hello()
     * Prepare for handshake with the ticket.
     */
    /* Remove the group SECP256R1 from the list of groups supported by the
-     * server such that it sends an HRR in response to the ClientHello.
+     * server. Since it is the client's preferred group, the client will
+     * send a key share only for SECP256R1, forcing the server to send a HRR.
     */
    server_options.group_list = group_list + 1;

@@ -6096,10 +6097,12 @@ void tls13_hrr_then_tls12_second_client_hello()
    #endif

    /*
-     * Reset the client and force it to TLS 1.2 so that it sends a TLS 1.2
-     * ClientHello.
+     * The client has just received the server's HRR and is expected to send a
+     * second ClientHello. Instead of sending a compliant second TLS 1.3
+     * ClientHello, we want it to send a TLS 1.2-only ClientHello. To achieve
+     * this, we reset the client with a TLS 1.2-only configuration before
+     * resuming the handshake with the server.
     */
-
    client_ep.ssl.tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
    mbedtls_ssl_conf_min_tls_version(&client_ep.conf, MBEDTLS_SSL_VERSION_TLS1_2);
    mbedtls_ssl_conf_max_tls_version(&client_ep.conf, MBEDTLS_SSL_VERSION_TLS1_2);