On Fri, Oct 21, 2016 at 04:35:12PM +0200, Martin Rex wrote: > Ilari Liusvaara wrote: > > On Fri, Oct 21, 2016 at 11:41:59PM +1100, Martin Thomson wrote: > >> On 21 October 2016 at 19:55, Ilari Liusvaara <ilariliusva...@welho.com> > >> wrote: > >>> Of course, defining the "same certificate" is > >>> way trickier than it initially seems > >> > >> Not if you think simplistically: same octets in EE ASN1Cert > >> in both handshakes. > > > > Such behaviour would run into problems with certificate renewal. > > Just the opposite. You definitely want full handshake on > certificate renewal. > > I don't know how common it is in TLS servers (and TLS clients) to > allow replacing of TLS certificates in "full flight".
Oh, the library I have written definitely does allowing replacing the server certificate in the flight. All the way to one thread replacing the certificate while another is handshaking with the old one in the meantime. And these replaces can happen behind application's and even the TLS library's back. So no cache flushing. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls