Handshake succeeds with TLS 1.2 in violation of RFC 9001 #85
Description
Summary
kwik completes a QUIC handshake when the client offers only TLS 1.2 (0x0303) in the supported_versions extension. This appears to violate RFC 9001, which requires at least TLS 1.3 for QUIC.
Details
In this test, the client modifies the following field:
supported_versions = [0x0303] // TLS 1.2
Expected behaviour:
- The server must reject the handshake, since TLS 1.3 is required for QUIC.
Observed behaviour:
- The handshake succeeds.
We differentially tested 13 other QUIC implementations (quic-go, quiche, msquic, etc.), which all fail the handshake under the same conditions.
RFC 9001
Clients MUST NOT offer TLS versions older than 1.3. A badly configured TLS implementation could negotiate TLS 1.2 or another older version of TLS. An endpoint MUST terminate the connection if a version of TLS older than 1.3 is negotiated.
Notes
This behaviour suggests that Kwik may not be enforcing the TLS 1.3 requirement during version negotiation.
Happy to provide additional information/packet traces if helpful.