Thank you. Ok, I understand that some servers could not allow reuse of cookie, but why is it FORBIDDEN by standard? It could be suggested to not reuse in general cases, but if I wanted to use TLS 1.3 with my custom server, which uses cookies to only prevent spoofing attacks (in UDP (DTLS) case). And clients know that they can reuse previous cookies for fast handshake, then why would it be prohibited?
On 30 October 2017 at 11:31, Martin Thomson <martin.thom...@gmail.com> wrote: > What is most likely to happen is that the cookie will be invalid and > the connection will be rejected. > > Many TLS servers assume that presence of a cookie means that they > previously sent a HelloRetryRequest on that connection. For instance, > NSS packs a hash of the original ClientHello into the cookie so that > it can restore the handshake transcript. Reusing the cookie will just > lead to the server restoring the handshake transcript from the wrong > handshake. And that's even assuming that it accepts the cookie in the > first place. > > On Mon, Oct 30, 2017 at 6:07 PM, Jānis Čoders <janis.cod...@gmail.com> wrote: >> Hi, is there ANY security issue with reusing Cookie from previous TLS >> connection? In current draft there is text: "Clients MUST NOT use >> cookies in their initial ClientHello in subsequent connections." I >> can't think of any security implication, but can think of situations >> where it could be useful. >> >> -- >> Ar cieņu, >> Jānis Čoders >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls -- Ar cieņu, Jānis Čoders _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
