On Tue, Oct 01, 2019 at 10:56:00AM -0400, Viktor Dukhovni wrote: > I've read the draft, it looks quite useful and reasonable. It would > be good to see this published.
+1 > I have one idea (implemented in OpenSSL 1.1.1 on the server side) > that may be worth mentioning in this context (and perhaps even the > draft): > > - By default, OpenSSL TLS 1.3 servers only vend multiple (two) > tickets on full handshakes. Resumed sessions issue just one > ticket. > > This avoids unbounded linear growth in the number of tickets vended > to a client that makes many resumed connections even after reaching > its peak connection concurrency. Dumb clients that say they want so many tickets on resumption, and then store them all, and don't clear out older tickets fast enough... can get DoSed by a server than gives them what they asked for. This probably warrants a bit of text on the matter. Probably a SHOULD saying that clients should ask for only one ticket in resumptions (i.e., not use this extension) unless they are short of tickets. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
