On 11/11/2019 20:51, Phil Neumiller wrote: > Extension: ec_point_formats (len=4) > Type: ec_point_formats (11) > Length: 4 > EC point formats Length: 3 > Elliptic curves point formats (3) > EC point format: uncompressed (0) > EC point format: ansiX962_compressed_prime (1) > EC point format: ansiX962_compressed_char2 (2) > Extension: session_ticket (len=0) > Type: session_ticket (35) > Length: 0 > Data (0 bytes) > Extension: encrypt_then_mac (len=0) > Type: encrypt_then_mac (22) > Length: 0 > Extension: extended_master_secret (len=0) > Type: extended_master_secret (23) > Length: 0 You don't need these four for TLSv1.3 SSL_OP_NO_TICKET will turn off session_ticket. SSL_OP_NO_ENCRYPT_THEN_MAC will turn off encrypt_then_mac. SSL_OP_NO_EXTENDED_MASTER_SECRET will turn off extended_master_secret. Don't switch off encrypt-then-mac or extended-master-secret unless you *really* need to. They don't do anything in TLSv1.3 but if you ever ended up negotiating TLSv1.2 by mistake for some reason then switching these things off has security consequences. I think the only way to get rid of ec_point_formats would be to disable EC from being used completely. But, you need EC to be enabled in order use TLSv1.3 (at least in 1.1.1 - in master its different). So I don't think you can get rid of this extension. But I'd really look at why your hardware is failing when these extensions are present. Is it intolerant of one particular extension? If so I'd just disable that one. Matt
