On Thu, Nov 23, 2017 at 07:42:12PM +0000, Andrei Popov wrote: > To confirm, TLSInnerPlaintext.type and TLSInnerPlaintext.zeros are > not part of the handshake messages, and therefore are not included > in the transcript hash?
Correct. The transcript hash is also not affected by fragmentation. E.g. in TLS 1.3, the raw finished messag fed to SHA-256 is always 14 00 00 20 <32 bytes payload>. Regardless of padding and fragmnentation (for SHA-384, that would be 14 00 00 30 <48 bytes payload>). (In DTLS, the header would be different and larger, but also not affected by padding and fragmentation). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
