Kazuho, Thanks for the feedback. This is very helpful.
On Wed, Oct 12, 2016 at 11:17 PM, Kazuho Oku <kazuho...@gmail.com> wrote: > > I wrote my implementation by going through the draft. While writing my > code, I did not refer to other implementations except for looking into > OpenSSL to see if there was an optimized path for implementing AES-GCM > for TLS 1.3 (which turned out to not exist in 1.0.2; it has been > introduced in OpenSSL 1.1.0). > > After my own implementation of server and client started talking to > each other, I started to test interoperability by using Firefox > Nightly. > > I had to fix five issues before picotls started talking with Firefox, > which took about half a day of work (some errors are not strictly > related to TLS). > > Commit 479f25f, ddd50b7 fixed errors in AEAD construction. > Commit 5cb99c5 fixed an error in RSA signing. > Commit 2d20c86 fixed a mis-optimization in my implementation of > Derive-Secret. > Commit 5780bfc fixed a silly mistake in generating a CertificateVerify. > > Details of each commit can be found at > https://github.com/h2o/picotls/commits/master > > It was possible to fix the errors by observing the fatal alert sent by > Firefox and going back to the Internet Draft. But it would have been > even more easier if the draft included test vectors especially for the > cryptographic operations. > We have heard this a number of times. We'll see what we can do about producing some vectors from a working implementation. Aside from the bugs I fixed, it seemed to me that the draft was vague > on whether if msg_type and length of Handshake should be considered as > part of the Handshake Context (please forgive me if I missed somewhere > that mentions it). > > In section 4.4, the draft states that, quote: a Handshake Context > based on the hash of the handshake messages. This text seems to imply > that msg_type and length should be considered part of the Context, but > I could not find a formal definition of what a “handshake message” is. > Ouch. Yes, I see what you mean here. There used to be some text that made this clear, but I think it got lost in an edit. I have filed an issue to fix this (https://github.com/tlswg/tls13-spec/issues/688) and will try to get it in by -17. The other two issues I had are my confusion on why a Handshake Context > may contain Certificate and CertificateVerify after ServerFinished > (answered by Illari at > https://www.ietf.org/mail-archive/web/tls/current/msg21476.html), and > It sounds like test vectors would help here. > a mistake in encoding draft 16 as 0x16 > (https://github.com/tlswg/tls13-spec/issues/682). > I have clarified this in in: https://github.com/tlswg/tls13-spec/commit/0353994e038cfbf15becc68c412644789d2e3009 Thanks for the bug report! Thank you very much for the great draft, and providing answers to my > issues. I am looking forward to seeing it formalized. Thank you very much for your input. It's great to see people doing implementations from the specification and having success! Best, -Ekr > > -- > Kazuho Oku > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
