On Tue, Nov 22, 2016 at 4:36 PM, Martin Thomson <martin.thom...@gmail.com> wrote:
> On 23 November 2016 at 10:24, Eric Rescorla <e...@rtfm.com> wrote: > >> [EncryptedExtensions Certifi] > >> [cateRequest Certificate Cer] > >> [tificateVerify Finished] > > > > > > Yeah, that's how this works in NSS. > > To be clear, NSS buffers an entire flight of messages and then sends > them. It might fragment things between TCP segments as a result, but > usually fits everything in a single record (with some exceptions, > thanks to CertificateRequest being bloated, foor example). (In DTLS, > it's more complicated because we have MTU detection, but the same > basic principle applies.) > Yes, this is what I meant to say. Basically, it tries to cram as much as it can into one record and the answer to "as much as it can" is "it depends" -Ekr Like others, I would find stricter rules around record splits very > hard to enforce, and for not much gain. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
