> > You can't possibly implement [stateless HelloRetryRequest] the
> > way the spec suggests with just a hash in a HRR cookie extension.
>
> The only thing the server needs to know is the hash of the ClientHello
> (so it can restore the transcript hash) and that the server has already
> sent a HelloRetryRequest (which it can detect by presence of the
> cookie). The only argument I've seen made for what the spec suggests
> not working is being able to verify which fields changed between
> ClientHello1 and ClientHello2.
The server also needs to know the entire HelloRetryRequest message
since this goes into the Transcript Hash calculation:
Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
Hash(message_hash || /* Handshake type */
00 00 Hash.length || /* Handshake message length (bytes) */
Hash(ClientHello1) || /* Hash of ClientHello1 */
HelloRetryRequest || ... || Mn)
Many of the fields in HelloRetryRequest are fixed or predictable, but
the legacy_session_id_echo is not, for example. Also, relying on the
client to remind you what the hash of ClientHello1 is seems extremely
"optimistic" (in my opinion).
> I see no language in RFC 8446 that the server MUST enforce that
> the ClientHello2 is conformant with respect to ClientHello1.
It doesn't, and you could probably argue that the HelloRetryRequest
can be just a "do over" and let the client try again however it wants.
But if the server doesn't do 100% validation of the second ClientHello
as if it never received the first one, then there is room for mischief by
a "curious" client.
Mike
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
