Hello,
While testing a TLS1.3 client implementation, I found an unexpected
behavior. Specific sequence:
1. Client negotiates TLS1.3 with Server.
2. Server sends NST with a valid ticket.
3. Client reconnects to the same Server. The ClientHello contains both
the `session_ticket` and `pre_shared_key` extensions. The value of the
`psk_identity` is equal to the value of the `session_ticket`.
Is it ever valid for a client to populate both extensions with the same
ticket value? Even if the client reconnects and lands on a different
server node that only supports TLS1.2, resumption should fail because
the protocol version should be included as part of the session state.
The `session_ticket` extension data in this example is at least wasted
data.
I did not see anything in the spec(neither 8446 2.2 nor 4.6.1) that
explicitly disallows this. 2.2 contains “Both mechanisms are obsoleted
in TLS 1.3.” when referring to `session_ticket` and `session_id`
resumption, but that may not be clear enough.
-Steven
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
