server and client should not share the same subkey

[ghost]

As client and server share the same key the same info string "ss-subinfo", secret messages of aes-gcm might be encrypted by the same key if random salt is same.

Due to random salt is visible, if some one could store several peices of communication message and wait for the time when client and server have used the same random salt. It could get some useful information from secret message.

For detailed information, please check Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (camera-ready version / Usenix WOOT16).

All in all, make nonce unique. Subkey should be different between client and server.

[Mygod]

Nonce will be unique up to birthday bounds -- making the info string different for client/server only adds one bit of entropy, which is negligible and probably not worth the implementation efforts.

[riobard]

As pointed out by @Mygod the proposed change will break compatibility with all implementations for relatively little gain in security. So I guess it's a wontfix?

[Mygod]

We could keep it at the back of our heads and do this when the time comes.