Hello, I have a question about handling the psk_key_exchange_mode extension.
4.2.9. Pre-Shared Key Exchange Modes says: This extension also restricts the modes for use with PSK resumption; servers SHOULD NOT send NewSessionTicket with tickets that are not compatible with the advertised modes Is this compatibility defined externally to the protocol, or does it depend on the initial handshake? To take an example, suppose the server uses the ticket construction mechanism described in RFC 5077. If the former is the case, the server requires PSK with (EC)DHE when the ticket encryption key is required to be forward secret. From the implementation point of view, that would be provided as an option in the server configuration. On the other hand, if the latter is the case, the server requires PSK with (EC)DHE when the initial handshake chose (EC)DHE key exchange, because the ticket is tied to resumption_master_secret derived from the (EC)DHE secret. Since the above paragraph is followed by: however, if a server does so, the impact will just be that the client’s attempts at resumption fail. I thought the latter is more plausible; however, in that case psk_ke would only be meaningful when the initial handshake is PSK-only. Regards, -- Daiki Ueno _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
