Hello, While RFC 8449 defines the minimum of record_size_limit as 64, if a server takes account of the Security Consideration and chooses its own lower limit (larger than 64), what should it behave?
Very small record sizes might generate additional work for senders and receivers, limiting throughput and increasing exposure to denial of service. In the beginning of section 4 (emphasis is my own): When the "record_size_limit" extension is _negotiated_, an endpoint MUST NOT generate a protected record with plaintext that is larger than the RecordSizeLimit value it receives from its peer. and later in the same section: Endpoints SHOULD advertise the "record_size_limit" extension, even if they have no need to limit the size of records. [...] _For servers, this allows clients to know that their limit will be respected._ My interpretation is that, if the client sent "record_size_limit" but didn't receive the extension from the server, that would mean the extension was not negotiated and the server may not respect the limit. Is this correct, or 64 is really mandatory to implement? Regards, -- Daiki Ueno _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
