Thanks for the feedback. This is very helpful.

On Wed, Oct 12, 2016 at 11:17 PM, Kazuho Oku <kazuho...@gmail.com> wrote:
> I wrote my implementation by going through the draft. While writing my
> code, I did not refer to other implementations except for looking into
> OpenSSL to see if there was an optimized path for implementing AES-GCM
> for TLS 1.3 (which turned out to not exist in 1.0.2; it has been
> introduced in OpenSSL 1.1.0).
> After my own implementation of server and client started talking to
> each other, I started to test interoperability by using Firefox
> Nightly.
> I had to fix five issues before picotls started talking with Firefox,
> which took about half a day of work (some errors are not strictly
> related to TLS).
> Commit 479f25f, ddd50b7 fixed errors in AEAD construction.
> Commit 5cb99c5 fixed an error in RSA signing.
> Commit 2d20c86 fixed a mis-optimization in my implementation of
> Derive-Secret.
> Commit 5780bfc fixed a silly mistake in generating a CertificateVerify.
> Details of each commit can be found at
> https://github.com/h2o/picotls/commits/master
> It was possible to fix the errors by observing the fatal alert sent by
> Firefox and going back to the Internet Draft. But it would have been
> even more easier if the draft included test vectors especially for the
> cryptographic operations.

We have heard this a number of times. We'll see what we can do about
producing some
vectors from a working implementation.

Aside from the bugs I fixed, it seemed to me that the draft was vague
> on whether if msg_type and length of Handshake should be considered as
> part of the Handshake Context (please forgive me if I missed somewhere
> that mentions it).
> In section 4.4, the draft states that, quote: a Handshake Context
> based on the hash of the handshake messages. This text seems to imply
> that msg_type and length should be considered part of the Context, but
> I could not find a formal definition of what a “handshake message” is.

Ouch. Yes, I see what you mean here. There used to be some text that made
this clear, but I think it got lost in an edit. I have filed an issue to
fix this
(https://github.com/tlswg/tls13-spec/issues/688) and will try to get it in
by -17.

The other two issues I had are my confusion on why a Handshake Context
> may contain Certificate and CertificateVerify after ServerFinished
> (answered by Illari at
> https://www.ietf.org/mail-archive/web/tls/current/msg21476.html), and

It sounds like test vectors would help here.

> a mistake in encoding draft 16 as 0x16
> (https://github.com/tlswg/tls13-spec/issues/682).

I have clarified this in in:

Thanks for the bug report!

Thank you very much for the great draft, and providing answers to my
> issues. I am looking forward to seeing it formalized.

Thank you very much for your input. It's great to see people doing
implementations from
the specification and having success!


> --
> Kazuho Oku
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
TLS mailing list

Reply via email to