Consider the scenario where a server is operating statelessly (i.e. using the cookie extension) and a client is operating in middlebox compat mode.
In that case the client sends an initial ClientHello and receives a ServerHello(HRR) back with a cookie in it. Before it sends its second ClientHello it first sends a dummy CCS. >From the server perspective it is operating statelessly so until it gets a ClientHello with a valid cookie in it, any message it receives is considered the "first" one. Therefore, because the server has forgotten about the initial interaction with the client, the first message it sees is a CCS. Draft-22 says this: "An implementation may receive an unencrypted record of type change_cipher_spec consisting of the single byte value 0x01 at any time during the handshake and MUST simply drop it without further processing." Does "any time during the handshake" include the very first message it receives? If so then this has implications for servers that accept connections from TLSv1.2 (and below) clients (regardless of whether the server is stateless or not), i.e. an incoming connection that starts with a CCS and then goes on to negotiate TLSv1.2 would be accepted which seems odd. If it doesn't mean that then a stateless server will receive a CCS as the first message and not know how to handle it. Maybe there are different rules for handling CCS for stateless servers? Or perhaps middlebox compat mode should never be used in a scenario where a stateless server is being used (e.g. QUIC). Either way it seems that some clarification of the wording would help. Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls