Some extension points are offered by the server and selected by the client. This section details client and server behavior around GREASE values for these.
When sending a CertificateRequest in TLS 1.3, a server MAY
behave as follows:
A server MAY select one or more GREASE extension values and advertise them as extensions with varying length and contents.
A server MAY select one or more GREASE signature algorithm values and advertise them in the "signature_algorithms" or "signature_algorithms_cert" extensions, if present.
When sending a NewSessionTicket message in TLS 1.3, a server MAY
select one or more GREASE extension values and advertise them as extensions with varying length and contents.
reject GREASE values when negotiated by the client. In particular, the server MUST
fail the connection if a GREASE value appears in any of the following:
Any Certificate extension in TLS 1.3
The signature algorithm in a client CertificateVerify signature
Note that this can be implemented without special processing on the server. The server is already required to reject unknown client-selected values, so it may leave GREASE values as unknown and reuse the existing logic.
When processing a CertificateRequest or NewSessionTicket, clients MUST NOT
treat GREASE values differently from any unknown value. Clients MUST NOT
negotiate any GREASE value when offered by the server. Clients MUST
correctly ignore unknown values offered by the server and attempt to negotiate with one of the remaining parameters. (There may not be any known parameters remaining, in which case parameter negotiation will fail.)
Note that these requirements are restatements or corollaries of existing client requirements in TLS.