On Fri, Jun 7, 2024 at 6:34 PM Syed Suleman Ahmad
>
> So far we have seen that HRR incompatibility is NOT related to the choice
> of keyshare, or whether the first Client Hello fits in a single packet or
> not. It is simply lack of HRR support.
>
While the aggregate stats are good to check, what
Hi folks,
Adding a bit more color to the original discussion.
We, at Cloudflare, have been scanning our customer's origin servers [1] for
TLS 1.3 key exchange algorithm support. As part of this effort (motivation:
measuring post-quantum readiness), we also send empty or unknown keyshare
in the Cl
On Thu, Jun 6, 2024, at 23:21, Nick Harper wrote:
> On Wed, Jun 5, 2024 at 6:25 AM Peter Gutmann
> wrote:
>> There are embedded TLS 1.3 implementations [*] that, presumably for space/
>> complexity reasons and possibly also for attack surface reduction, only
>> support the MTI algorithms (AES, SH
On Wed, Jun 5, 2024 at 6:25 AM Peter Gutmann
wrote:
> Martin Thomson writes:
>
> >Are you saying that there are TLS 1.3 implementations out there that don't
> >send HRR when they should?
>
> There are embedded TLS 1.3 implementations [*] that, presumably for space/
> complexity reasons and possi
On Wed, Jun 5, 2024 at 6:24 AM Peter Gutmann wrote:
>
> Martin Thomson writes:
>
> >Are you saying that there are TLS 1.3 implementations out there that don't
> >send HRR when they should?
>
> There are embedded TLS 1.3 implementations [*] that, presumably for space/
> complexity reasons and poss
On Tue, Jun 4, 2024 at 8:36 AM Bob Beck
wrote:
>
>
> On Tue, Jun 4, 2024 at 7:24 AM Martin Thomson wrote:
>
>> On Mon, Jun 3, 2024, at 14:34, Bas Westerbaan wrote:
>> > [...] We're scanning origins so that we can send a
>> > supported keyshare immediately and avoid HRR (not rolled out yet.)
>> >
Joseph Birr-Pixton writes:
>That is not a correct interpretation, in my opinion. Offering a key_share for
>every MTI key exchange is not required, because:
>
>> Clients MAY send an empty client_shares vector in order to request
>> group selection from the server, at the cost of an additional
On Wed, 5 Jun 2024 at 14:24, Peter Gutmann
wrote:
> Martin Thomson writes:
>
> >Are you saying that there are TLS 1.3 implementations out there that don't
> >send HRR when they should?
>
> There are embedded TLS 1.3 implementations [*] that, presumably for space/
> complexity reasons and possibl
Martin Thomson writes:
>Are you saying that there are TLS 1.3 implementations out there that don't
>send HRR when they should?
There are embedded TLS 1.3 implementations [*] that, presumably for space/
complexity reasons and possibly also for attack surface reduction, only
support the MTI algori
On Tue, Jun 4, 2024 at 7:24 AM Martin Thomson wrote:
> On Mon, Jun 3, 2024, at 14:34, Bas Westerbaan wrote:
> > [...] We're scanning origins so that we can send a
> > supported keyshare immediately and avoid HRR (not rolled out yet.)
> > That's not just for performance, but also to deal with orig
10 matches
Mail list logo
