search

hannestschofenig / mbedtls

An open source, portable, easy to use, readable and flexible SSL library
https://tls.mbed.org
Apache License 2.0
15 stars 8 forks source link

Don't send CCS after server finish in 0-RTT rejected case #385

Closed jesiegel1 closed 2 years ago

jesiegel1 commented 2 years ago

Description

RFC 8446:

If not offering early data, the client sends a dummy change_cipher_spec record immediately before its second flight. This may either be before its second ClientHello or before its encrypted handshake flight. If offering early data, the record is placed immediately after the first ClientHello.

Currently in the 0-RTT rejected case, the client will send two CCS messages, one immediately following ClientHello and one after ServerFinished, but because 0-RTT was attempted, the second CCS message is encrypted using the 0-RTT keys.

Status

READY

Additional comments

ccs_with_fix.log ccs_without_fix.log

jesiegel1 commented 2 years ago

First connect sends single CCS after server Finished, second connect sends single CCS after ClientHello: ccs_early_reject_with_fix.log