On Feb 1, 2021, at 3:00 PM, Joseph Salowey <j...@salowey.net> wrote: > [Joe] What purpose is the CloseNotify serving? RFC 5216 does not require > CloseNotify.
With TLS 1.2, the server sends TLS Finished to the client *after* it sees the client cert. With TLS 1.3, the server sends TLS Finished to the client *before* it sees the client cert. So the question is: when the client sees EAP-Success, has it's certificate been verified? If there's no more TLS exchange server -> client, then malicious parties can forge an EAP-Success, and the client doesn't know any better. This attack isn't possible in TLS 1.2, because the client receives the TLS Finished from the server, as a *positive* acknowledgement that the server has authenticated the client. In addition, the TLS exporter keys are not available until after the server sends TLS Finished. With TLS 1.3, the exporter keys are available *before* the client cert has been validated. This "fast path" helps with non-EAP protocols. But makes life more difficult for EAP. Alan DeKok. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
