Thanks for the feedback. This is very helpful.
On Wed, Oct 12, 2016 at 11:17 PM, Kazuho Oku <kazuho...@gmail.com> wrote:
> I wrote my implementation by going through the draft. While writing my
> code, I did not refer to other implementations except for looking into
> OpenSSL to see if there was an optimized path for implementing AES-GCM
> for TLS 1.3 (which turned out to not exist in 1.0.2; it has been
> introduced in OpenSSL 1.1.0).
> After my own implementation of server and client started talking to
> each other, I started to test interoperability by using Firefox
> I had to fix five issues before picotls started talking with Firefox,
> which took about half a day of work (some errors are not strictly
> related to TLS).
> Commit 479f25f, ddd50b7 fixed errors in AEAD construction.
> Commit 5cb99c5 fixed an error in RSA signing.
> Commit 2d20c86 fixed a mis-optimization in my implementation of
> Commit 5780bfc fixed a silly mistake in generating a CertificateVerify.
> Details of each commit can be found at
> It was possible to fix the errors by observing the fatal alert sent by
> Firefox and going back to the Internet Draft. But it would have been
> even more easier if the draft included test vectors especially for the
> cryptographic operations.
We have heard this a number of times. We'll see what we can do about
vectors from a working implementation.
Aside from the bugs I fixed, it seemed to me that the draft was vague
> on whether if msg_type and length of Handshake should be considered as
> part of the Handshake Context (please forgive me if I missed somewhere
> that mentions it).
> In section 4.4, the draft states that, quote: a Handshake Context
> based on the hash of the handshake messages. This text seems to imply
> that msg_type and length should be considered part of the Context, but
> I could not find a formal definition of what a “handshake message” is.
Ouch. Yes, I see what you mean here. There used to be some text that made
this clear, but I think it got lost in an edit. I have filed an issue to
(https://github.com/tlswg/tls13-spec/issues/688) and will try to get it in
The other two issues I had are my confusion on why a Handshake Context
> may contain Certificate and CertificateVerify after ServerFinished
> (answered by Illari at
> https://www.ietf.org/mail-archive/web/tls/current/msg21476.html), and
It sounds like test vectors would help here.
> a mistake in encoding draft 16 as 0x16
I have clarified this in in:
Thanks for the bug report!
Thank you very much for the great draft, and providing answers to my
> issues. I am looking forward to seeing it formalized.
Thank you very much for your input. It's great to see people doing
the specification and having success!
> Kazuho Oku
> TLS mailing list
TLS mailing list