On 22 June 2016 at 10:27, Watson Ladd <watsonbl...@gmail.com> wrote: > Isn't 0-RTT refusable? Why not treat 1.2 negotiation as a refusal?
The problem isn't that you get a 1.2 ServerHello, it's what happens after that. The server is going to choke on your 0-RTT data when it receives that instead of the client's second flight. If it doesn't, it's probably passing your 0-RTT ciphertext to the application as plaintext and that's even worse. I don't expect people to update their 1.2 implementations to be able to ignore 0-RTT data. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
