Re: [TLS] Alert after sending ServerHello

On Wed, Apr 26, 2017 at 04:35:31PM +1000, Martin Thomson wrote: > You are allowed to out NSS. We know that it's not ideal. > > I wrote that code and it's unencrypted for what I think is a good > reason (others very much disagree). In part, it has to do with 0-RTT. > > In 0-RTT, we want to ensur

Re: [TLS] Issue #964: Shortened HKDF labels

On Wed, Apr 26, 2017 at 04:51:01PM +1000, Martin Thomson wrote: > Unsurprisingly, this was easy to implement. If anyone else is > tracking this closely, I can share a version of NSS that includes this > change (and pretends to be an implementation of -20). Not very hard, altough I had to do some

Re: [TLS] Alert after sending ServerHello

On 26 April 2017 at 17:19, Ilari Liusvaara wrote: > AFAIK, the only situations where client can abort sending 0-RTT data > is noticing lack of server EarlyData extension (so server isn't > listening anyway), or if the entiere handshake is aborted.. Doing it > in other situations leads to subtle ra

Re: [TLS] Alert after sending ServerHello

Ilari Liusvaara wrote: >> In effect, we assume that the entire flight is processed atomically >> and generate errors based on that. Only when the entire flight is >> processed cleanly do we install keys and respond. > > My implementation processes message-by-message. So it installs the > client h

Re: [TLS] Alert after sending ServerHello

On 26 April 2017 at 22:25, Martin Rex wrote: >> The code I was talking about was handling the special case that the >> server might receive either encrypted or unencrypted alert in response >> to its flight. And the difference it makes is just what error is >> declared as abort reason. > > Up to T

Re: [TLS] TLS RSA-PSS and various versions of TLS

Dr Stephen Henson wrote: > On 25/04/2017 15:36, Benjamin Kaduk wrote: >> >>RSASSA-PSS algorithms Indicates a signature algorithm using RSASSA- >> PSS [RFC3447 ] with mask >> generation function 1. The digest used in >> the mask generation fun

Re: [TLS] TLS RSA-PSS and various versions of TLS

On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote: > > Signatures on certificates are created by CAs, rather than TLS endpoints, > so any implementation that uses TLS protocol parameters (about TLS signature > algorithms) for more than a mere cert selection hint, is actively creating > in

Re: [TLS] [EXT] Re: Alert after sending ServerHello

Yes, I agree that the problem is error handling. I get that it is trivial to distinguish encrypted from unencrypted, but I would appreciate it if the spec could clarify the appropriate actions in the scenario where an unencrypted (non-appdata) record is received after keys have been installed i

Re: [TLS] Alert after sending ServerHello

On Wed, Apr 26, 2017 at 10:00:19PM +1000, Martin Thomson wrote: > On 26 April 2017 at 17:19, Ilari Liusvaara wrote: > > AFAIK, the only situations where client can abort sending 0-RTT data > > is noticing lack of server EarlyData extension (so server isn't > > listening anyway), or if the entiere

Re: [TLS] TLS RSA-PSS and various versions of TLS

On 26/04/2017 14:41, Ilari Liusvaara wrote: > On Wed, Apr 26, 2017 at 03:23:57PM +0200, Martin Rex wrote: >> >> The issue with RSA-PSS digital signatures is that they were defined >> with additional (unnecessary) parameters that are encoded (=hidden) in the >> ASN.1 AlgorithmIdentifier, and that ar

Re: [TLS] CertficateRequest extension encoding

On Mon, Sep 05, 2016 at 09:46:51PM +, Andrei Popov wrote: > > Do we need to make it this flexible? The idea was to avoid adding > complexity to the certificate filtering code in the TLS stack, and > instead filter by OIDs in the PKI library. PKI libraries already > inspect and match OID values

Re: [TLS] CertficateRequest extension encoding

Hi Ilari, I don't have this implemented yet, but yes, tag/length should be included. Same as in the actual cert. Cheers, Andrei -Original Message- From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] Sent: Wednesday, April 26, 2017 10:04 AM To: Andrei Popov Cc: David Benj

Re: [TLS] Alert after sending ServerHello

On 26 April 2017 at 23:44, Ilari Liusvaara wrote: > But stopping on receiving EncryptedExtensions with EarlyData extension > is racy. How so? ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls