On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote:
> We have one more update for you all on TLS 1.3 deployment issues. Over the
> course of deploying TLS 1.3 to Google servers, we found that JDK 11
> unfortunately implemented TLS 1.3 incorrectly. On resumption, it fails to
> send the S
On Fri, Dec 14, 2018 at 10:50 AM Nico Williams
wrote:
> If the server rejects resumption I guess the client would still fail,
> but this is much better than failing at 100% of all resumptions and
> better than adding fingerprinting and downgrades.
>
In order for TLS 1.3 deployment to be viable t
Nico Williams wrote:
> On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote:
>> We have one more update for you all on TLS 1.3 deployment issues. Over the
>> course of deploying TLS 1.3 to Google servers, we found that JDK 11
>> unfortunately implemented TLS 1.3 incorrectly. On resumptio
On Fri, Dec 14, 2018 at 10:11:38PM +0100, Martin Rex wrote:
> Nico Williams wrote:
> > On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote:
> >> We have one more update for you all on TLS 1.3 deployment issues. Over the
> >> course of deploying TLS 1.3 to Google servers, we found that J
OpenSSL extracts and uses SNI from session resumption tickets.
This gave Viktor Dukhovni and Matt Caswell an idea that I'll relay here
on their behalf.
Also, while we're at it, I'd like to note that SNI is not the only thing
requiring privacy protection from the client. There's also the PSK
iden
On Fri, Dec 14, 2018 at 6:54 PM Nico Williams wrote:
> OpenSSL extracts and uses SNI from session resumption tickets.
>
> This gave Viktor Dukhovni and Matt Caswell an idea that I'll relay here
> on their behalf.
>
> Also, while we're at it, I'd like to note that SNI is not the only thing
> requi
On Fri, Dec 14, 2018 at 08:01:35PM -0800, Eric Rescorla wrote:
> On Fri, Dec 14, 2018 at 6:54 PM Nico Williams wrote:
> > OpenSSL extracts and uses SNI from session resumption tickets.
> > This gave Viktor Dukhovni and Matt Caswell an idea that I'll relay here
> > on their behalf.
> >
> > Also, wh
