TLS 1.2 Handshake: Does the server have to take all extensions sent by the Client?

Question

I am unsure about how extensions are handled in TLS v1.2.

During the handshake, the client is able to add some extensions during ClientHello. As far I understood, the server can pick arbitrary subsets from this list in ServerHello similar to picking the cipher suite, which the client provided during ClientHello. Is this correct?

If not, is it that the server can either take all those extensions into account, or must abort the handshake? I am not sure which is true.

I was looking for an adequate answer here in RFC5246, but didn't really find the one statement I am looking for.

Answer 1

Yes, each extension defines what it means.

A server that has never heard about this extension (e.g. the server is old and the extension is new) just disregards it, and the client must be ready to deal with that (at worst, by breaking the connection after ServerHello, but usually by falling back to the behavior before the extension was defined).

The extension spec should say what the server should do if it sees it and doesn't want to support it and what it should do if it does want to support it.

For example, a client might decide to drop the connection if the server didn't use SNI to choose the cert (and indicated that by server_name extension in ServerHello), or a client might decide that OCSP stapling is required, or certificate transparency SCTs are required, or a client might decide to drop a connection if a CBC cipher suite was chosen and no agreement to do encrypt_then_mac was indicated by encrypt_then_mac in ServerHello. Or a server might drop connections from clients that don't send server_name.