Thanks, Ilari! -----Original Message----- From: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] Sent: Thursday, November 23, 2017 11:52 AM To: Andrei Popov <andrei.po...@microsoft.com> Cc: Peter Wu <pe...@lekensteyn.nl>; Le Van Gong, Hubert <hub...@levangong.org>; tls@ietf.org Subject: Re: [TLS] Transcript-Hash during Handshake
On Thu, Nov 23, 2017 at 07:42:12PM +0000, Andrei Popov wrote: > To confirm, TLSInnerPlaintext.type and TLSInnerPlaintext.zeros are not > part of the handshake messages, and therefore are not included in the > transcript hash? Correct. The transcript hash is also not affected by fragmentation. E.g. in TLS 1.3, the raw finished messag fed to SHA-256 is always 14 00 00 20 <32 bytes payload>. Regardless of padding and fragmnentation (for SHA-384, that would be 14 00 00 30 <48 bytes payload>). (In DTLS, the header would be different and larger, but also not affected by padding and fragmentation). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
