RFR 8211018: Session Resumption without Server-Side State
Xuelei Fan
Xuelei.Fan at Oracle.Com
Wed Jun 5 21:28:07 UTC 2019
I don’t know if there are any deployment of RFC 4507. If not, we are safe; otherwise there are interop problems for session resumption.
Xuelei
> On Jun 5, 2019, at 2:19 PM, Jamil Nimeh <jamil.j.nimeh at oracle.com> wrote:
>
> Hi Xuelei,
>
> Given that 4507 is obsoleted in favor of 5077 is there really that much value to supporting this older/broken extension format? Do we know of clients that still adhere to 4507? Otherwise it seems better to stick to 5077 and the approach in TLS 1.3 and not try to go back and support an earlier obsoleted approach to this feature.
>>
>> These lines took me to the cooperation behaviors between RFC 5077 and RFC 4507. It looks like we don't support RFC 4507 format of SessionTicket extension. As RFC 5077 and RFC 4507 use the same extension ID for different extension format. There are potential compatibility issues, and make session resumption impossible. I would like to have a workaround to accept both formats. For example, using the a cookie at the beginning of the ticket, as described in appendix-A of RFC 5077.
>>
>>
>> I will review the rest of this class in the afternoon or tomorrow.
>>
>> Thanks,
>> Xuelei
>
>
>
>
>
>
More information about the security-dev
mailing list