RFR 8211018: Session Resumption without Server-Side State
Jamil Nimeh
jamil.j.nimeh at oracle.com
Wed Jun 5 21:19:59 UTC 2019
Hi Xuelei,
Given that 4507 is obsoleted in favor of 5077 is there really that much
value to supporting this older/broken extension format? Do we know of
clients that still adhere to 4507? Otherwise it seems better to stick
to 5077 and the approach in TLS 1.3 and not try to go back and support
an earlier obsoleted approach to this feature.
>
> These lines took me to the cooperation behaviors between RFC 5077 and
> RFC 4507. It looks like we don't support RFC 4507 format of
> SessionTicket extension. As RFC 5077 and RFC 4507 use the same
> extension ID for different extension format. There are potential
> compatibility issues, and make session resumption impossible. I would
> like to have a workaround to accept both formats. For example, using
> the a cookie at the beginning of the ticket, as described in
> appendix-A of RFC 5077.
>
>
> I will review the rest of this class in the afternoon or tomorrow.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list