On Tue, Sep 13, 2016 at 12:04:40PM -0500, Benjamin Kaduk wrote: > > > On 09/09/2016 03:19 PM, Ilari Liusvaara wrote: > > On Fri, Sep 09, 2016 at 02:50:59PM -0500, Benjamin Kaduk wrote: > > >> I have a slight (i.e., unjustified) preference for doing > >> ClientHello-with-block-of-zeros rather than prefix-of-ClientHello. (Is > >> there a reason to require this extension to be the last one with > >> block-of-zeros? Clearly there is for prefix-of-ClientHello.) > > What about the case where client tries DHE-PSK and gets attempt > > rejected because of missing group (or because address verification)? > > 0-RTT is gone yes, but the PSK attempt isn't. > > > > What happens to the hash in this case? > > > > > > I feel like I must be missing something, but I don't really understand > the question. (Sadly, waiting in the hope that someone else did > understand and would respond didn't work.) The 0-RTT failed, so the > full handshake will have an actual Finished message, with a different > hash calculated (including over the "hello_finished" extension). The > most plausible way I could interpret the question seems to be asking > about the lack of Hash(resumption_context) in the 1-RTT Finished, but > the security properties of that should be the same as for the > hello_finished, so I'm still puzzled. > > Sorry for being dense...
I mean the following case (perhaps bit misconfigured server): Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,...,finished=zot) Server: HelloRetryRequest(group=24) Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,24:quux,...,finished=???) What is the finished data calculated over in the second case? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls