> I am having a difficult time understanding the tradeoffs you're facing.
This is the first time I'm reading the TLS 1.3 RFC. I have implemented SSLv3, TLS 1.0, 1.1, and 1.2. You may have used my test server at https www dot mikestoolbox dot org or dot net to test your own code. It's kind of old now since it doesn't do ECC and the DHE_RSA key exchange I focused on has been disabled by most clients so you end up getting a regular RSA handshake now. I have gotten caught by the stateless HelloRetryRequest and can't get past it. You can't possibly implement it the way the spec suggests with just a hash in a HRR cookie extension. If it can be done at all, the stateless server should probably just put the ClientHello1 and HRR (minus the cookie) into the cookie extension. If this is how it should be done, then the spec should say so -- exactly how to do it so everyone does it the same (correct) way and not just hand-wave it and say figure it out yourself. Getting the cookie right isn't enough because of the potential for resending an old cookie by a mischievous client. Nico suggests that replay caches are hard to get right even when your distributed servers are all talking to each other. Mike _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
