On 23 November 2016 at 10:24, Eric Rescorla <e...@rtfm.com> wrote: >> [EncryptedExtensions Certifi] >> [cateRequest Certificate Cer] >> [tificateVerify Finished] > > > Yeah, that's how this works in NSS.
To be clear, NSS buffers an entire flight of messages and then sends them. It might fragment things between TCP segments as a result, but usually fits everything in a single record (with some exceptions, thanks to CertificateRequest being bloated, foor example). (In DTLS, it's more complicated because we have MTU detection, but the same basic principle applies.) Like others, I would find stricter rules around record splits very hard to enforce, and for not much gain. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
