It's probably better to reject this fallback when the client has chosen to
> explicitly use a TLS 1.3 feature with 0-RTT in general.
>
> Subodh
>
> From: Martin Thomson [martin.thom...@gmail.com]
> Sent: Tuesday, March 29, 2016 6:29 PM
&
rom: Martin Thomson [martin.thom...@gmail.com]
Sent: Tuesday, March 29, 2016 6:29 PM
To: David Benjamin
Cc: Subodh Iyengar; tls@ietf.org
Subject: Re: [TLS] Tickets and cross protocol attacks
On 30 March 2016 at 05:00, David Benjamin <david...@chromium.org> wrote:
> On the server, OpenSSL
On 30 March 2016 at 05:00, David Benjamin wrote:
> On the server, OpenSSL already includes the version in the SSL_SESSION
> structure, and recent enough versions of it will not accept sessions at the
> wrong version
NSS too. This is the right thing, I think.
I have no
On Tue, Mar 29, 2016 at 12:57 PM Subodh Iyengar wrote:
> Recent attacks like SLOTH, DROWN, PCKS1.5 padding oracles have shown that
> attacks on previous version of TLS can be used to attack new version of
> TLS.
>
> One thing that is not mandated by TLS 1.3 is separation of
Recent attacks like SLOTH, DROWN, PCKS1.5 padding oracles have shown that
attacks on previous version of TLS can be used to attack new version of TLS.
One thing that is not mandated by TLS 1.3 is separation of session tickets and
session ids between TLS protocols. For example a client could use