How browsers know which TLS handshake to use (1.2 vs. 1.3)

Question

TLS 1.3 has a bit different handshake messages than 1.2 (and older) had. The client is supposed to send DH parameters directly in the first Client Hello message. How do browsers know if that's what they should do? What if the server supports 1.2 tops and it doesn't talk 1.3?

Answer 1

TLS 1.3 is indeed backwards compatible to TLS 1.2 and below. If a client were to initiate a TLS 1.3 handshake, the server supporting only up to 1.2 would understand some of the ClientHello - enough to reply that it only supports 1.2 (and possibly below).

The ServerHello would then indicate this lower version. The client can then decide whether to downgrade to 1.2 or abort the handshake.

Answer 2

The browser is the client, and so it acts first.

If the client wants to use TLS 1.3 it will send a ClientHello with the "legacy_version" set to 0x0303 (which means TLS 1.2 not TLS 1.3) and a "supported_versions" extension with 0x0304 (which means TLS 1.3) indicated as the highest supported version.

This is described in RFC 8446, Section 4.1.2. Here is an excerpt from that section:

TLS 1.3 ClientHellos are identified as having a legacy_version of 0x0303 and a supported_versions extension present with 0x0304 as the highest version indicated therein. (See Appendix D for details about backward compatibility.)

See also, this excerpt from RFC 8446 Appendix D.1 "Negotiating with an Older Server" (emphasis added):

A TLS 1.3 client who wishes to negotiate with servers that do not support TLS 1.3 will send a normal TLS 1.3 ClientHello containing 0x0303 (TLS 1.2) in ClientHello.legacy_version but with the correct version(s) in the "supported_versions" extension. If the server does not support TLS 1.3, it will respond with a ServerHello containing an older version number. If the client agrees to use this version, the negotiation will proceed as appropriate for the negotiated protocol.