mmokrejs
commented
2 months ago The re-keying will not help in case of ChaCha20-Poly1305 to some extent: https://dl.acm.org/doi/abs/10.1145/3460120.3484814
From https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3460120.3484814&file=CCS21-fp593.mp4 I quote two slides:
Then renegotiate or fail when too much data is sent. There is already a limit of 2^48 for DTLS or 2^64 for TLS due to sequence number wraparound, but specific ciphers have smaller limits. This is most important for 3DES due to collisions, but even AES-GCM has relatively small limits
NSS change https://bugzilla.mozilla.org/show_bug.cgi?id=1268745 Paper http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf