On Tue, Oct 24, 2017 at 12:42:01AM +0000, Andrei Popov wrote: > Draft-21 says: > "Handshake messages MUST NOT span key changes. Implementations > MUST verify that all messages immediately preceding a key change > align with a record boundary; if not, then they MUST terminate the > connection with an "unexpected_message" alert. Because the > ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate > messages can immediately precede a key change, implementations > MUST send these messages in alignment with a record boundary."
Edge case: Finished is also part of post-handshake auth (*puke*), which does not trigger key change. And from some cryptographic analysis, one might get an idea to immediately send a KeyUpdate requesting reciproal update afterwards (not that I think that is actually necressary or even helpful). -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
