On Sat, Feb 21, 2026 at 06:04:31PM -0800, Eric Rescorla wrote:
> > - Setting the protocol floor at TLS 1.3 trims a bunch of TLS 1.2 cipher
> > codepoints, and a non-resumption CH is finally plausibly small enough
> > to fit into a single TCP segment:
> >
> > Sent TLS Record
> > Header:
> > Version = TLS 1.0 (0x301)
> > Content Type = Handshake (22)
> > Length = 1396
> > ClientHello, Length=1392
> > client_version=0x303 (TLS 1.2)
> >
>
> If you instead offer hybrid, you're at 1428, which might still fit.
Yes, provided only the hybrid keyshare (without an accompanying ECC-only
keyshare) is sent. I expect that more typically a client sending a
hybrid keyshare will also send the corresponding ECC-only keyshare,
which (everything the same as above) gives:
Sent TLS Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 1464
ClientHello, Length=1460
client_version=0x303 (TLS 1.2)
...
extension_type=key_share(51), length=1258
NamedGroup: X25519MLKEM768 (4588)
key_exchange: (len=1216): ..
NamedGroup: ecdh_x25519 (29)
key_exchange: (len=32): ...
An X25519 payload is then added twice, pushing the CH size to just over
the common TCP MSS of 1460 bytes (a shorter SNI might just squeak under
the limit). :-(
Though on the whole we're in violent agreement. The conditions under
which pure ML-KEM fits in a single TCP segment, and hybrid does not, are
somewhat atypical (TLS 1.3-only floor, no resumption).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
