davidben
commented
3 years ago I think this is #408. (The fix is in GitHub, but I don't think there's been a draft-11 yet.)
Closed martinduke closed 3 years ago
davidben
commented
3 years ago I think this is #408. (The fix is in GitHub, but I don't think there's been a draft-11 yet.)
martinduke
commented
3 years ago Ack, will close.
One semi-related quibble:
We almost don't care about this: the client may as well stop the handshake at server Finished and skip the client Finished flight anyway, for purposes of the recovery flow.
Is this accurate? Don't we need to have at least some data with the session keys to verify that the transcripts agree?
davidben
commented
3 years ago Is this accurate? Don't we need to have at least some data with the session keys to verify that the transcripts agree?
The client checks the server agreed with server CertificateVerify and server Finished. Then the server checks the client agreed with client CertificateVerify and client Finished. For purposes of the recovery flow, the server doesn't care, only the client. The client is going to discard the connection as soon as it's authenticated the new config.
The only reference I see to early data in the draft is in a discussion of alternate designs.
If the client-facing server is unable to decode the inner client hello, an early-data extension (and PSK) might be in the inner or outer client hello.
If in the inner client hello, the server can't see it but will get application records. It should not throw the error that it otherwise might.
If in the outer client hello, this is essentially garbage being delivered to the wrong target, which it is unlikely to even be decryptable in split mode.
I don't have strong feelings about what text should be in the draft about this. This simplest thing would probably be that the early_data extension MUST NOT be in the outer CH, and that the server should simply ignore early data application data records if it can't decode the inner hello and doesn't observe the necessary extensions.