Is stateless HelloRetryRequest even being used? If so, how?
NSS implements HRR this way always. We pack the necessary state for the
connection to continue into the cookie (which is protected with an AEAD). We
can also retain server state, in which case the retained state is compared
against the state from the cookie as an extra sanity check. We chose to do
this for a few reasons, but one thing is that it encourages us to use the
second ClientHello for negotiating everything.
OK, so it sounds like you put something similar to a
NewSessionTicket (TLS 1.2) in the cookie with enough
information to recreate the server state. This is quite
a lot more information than just a "hash" as the spec
implies.
Also, are you sure you want to do this? The design of
TLS 1.3 was supposed to make it fast, but creating a
pseudo session ticket for every connection requiring a
HRR and then validating and decoding it is going to be
really slow. And your data center is going to get hotter
because your servers will be compute bound instead of
memory bound (if they even were).
Mike
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
