Ilari Liusvaara wrote: > On Fri, Oct 21, 2016 at 11:41:59PM +1100, Martin Thomson wrote: >> On 21 October 2016 at 19:55, Ilari Liusvaara <ilariliusva...@welho.com> >> wrote: >>> Of course, defining the "same certificate" is >>> way trickier than it initially seems >> >> Not if you think simplistically: same octets in EE ASN1Cert >> in both handshakes. > > Such behaviour would run into problems with certificate renewal.
Just the opposite. You definitely want full handshake on certificate renewal. I don't know how common it is in TLS servers (and TLS clients) to allow replacing of TLS certificates in "full flight". I implemented this in ours about 10 years ago, and I'm flushing the session cache after loading of the new/updated cert, so that every new handshake will result in a full handshake rather than session resume (ongoing connections continue to use the old/previous certificate until closed by the application). -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
