From 7b3af46c4093bf9da07f2599b7e54dd22c241028 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 10 Mar 2026 15:40:00 +0100 Subject: [PATCH] tls13_hrr_then_tls12_second_client_hello: Improve some comments Signed-off-by: Ronald Cron --- tests/suites/test_suite_ssl.function | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 67388da72c..d8c97f3f59 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6045,7 +6045,8 @@ void tls13_hrr_then_tls12_second_client_hello() * Prepare for handshake with the ticket. */ /* Remove the group SECP256R1 from the list of groups supported by the - * server such that it sends an HRR in response to the ClientHello. + * server. Since it is the client's preferred group, the client will + * send a key share only for SECP256R1, forcing the server to send a HRR. */ server_options.group_list = group_list + 1; @@ -6096,10 +6097,12 @@ void tls13_hrr_then_tls12_second_client_hello() #endif /* - * Reset the client and force it to TLS 1.2 so that it sends a TLS 1.2 - * ClientHello. + * The client has just received the server's HRR and is expected to send a + * second ClientHello. Instead of sending a compliant second TLS 1.3 + * ClientHello, we want it to send a TLS 1.2-only ClientHello. To achieve + * this, we reset the client with a TLS 1.2-only configuration before + * resuming the handshake with the server. */ - client_ep.ssl.tls_version = MBEDTLS_SSL_VERSION_TLS1_2; mbedtls_ssl_conf_min_tls_version(&client_ep.conf, MBEDTLS_SSL_VERSION_TLS1_2); mbedtls_ssl_conf_max_tls_version(&client_ep.conf, MBEDTLS_SSL_VERSION_TLS1_2);