On Jul 12, 2019, at 11:08 PM, Jouni Malinen <j...@w1.fi> wrote: > In other words, there does not seem to be any convenient way of > implementing this with the current version of one of the most commonly > used TLS libraries. I can make this work by sending out a one-octet > (0x00) TLSPlaintext as a workaround, but it does not look like I could > make the implementation comply with the draft without changing the TLS > library which is close to a complete showstopper for quick deployment.
I agree. > It would seem to make sense to me to allow the EAP-TLS 1.3 server to > send out either an empty plaintext or a one octet plaintext to avoid > this issue in a straightforward manner. We may also want to later perform additional signalling at that phase of the authentication. As such, it may be good to say: * a one octet plaintext of 0x00 should be sent * on reception, any data received should be ignored * non-zero octets, or more than one octet MAY indicate future extensions Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu