Don't retry from retry (#616)

* Don't retry from retry * Explain why you shouldn't retry * Clarifyretry behavior * Clarifyretry behavior * Fix long line
tlswg · Aug 5, 2024 · ba609f6 · ba609f6
1 parent b7e217f
commit ba609f6
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/draft-ietf-tls-esni.md b/draft-ietf-tls-esni.md
@@ -886,8 +886,12 @@ initiated in response to a "retry_config".  Sending a "retry_config"
 in this situation is a signal that the server is misconfigured, e.g.,
 the server might have multiple inconsistent configurations so that the
 client reached a node with configuration A in the first connection and
-a node with configuration B in the second. If a client does not retry,
-it MUST report an error to the calling application.
+a node with configuration B in the second. Note that this guidance
+does not apply to the cases in the previous paragraph where the server
+has securely disabled ECH.
+
+If a client does not retry, it MUST report an error to the calling
+application.
 
 ### Authenticating for the Public Name {#auth-public-name}