Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >I took a look at whether it is practically possible for a client to "opt-in" >to (ostensibly cheaper) non-DHE TLS 1.3 resumption by sending a >"psk_key_exchange_modes" extension consisting of just "psk_ke". > >Turns out that at least when the server is OpenSSL, the client is likely to >be sad.
We found that too, TLS classic-style session resumption is essentially impossible on TLS 1.3 because very widely-deployed implementations don't allow non-DHE PSK, the replacement for TLS classic session resumption. We were getting complaints about timeouts with RTUs (SCADA devices) and eventually tracked it down to the fact that they had to perform an expensive full crypto handshake on each ping to the controllers they talked to because they couldn't do a resume. This is one of the (several) reasons I referred to in a previous post why TLS 1.3 can be at lot lower-performance than TLS classic, luckily they were only testing 1.3 use so just dropped it and kept going with 1.2 which fixed the problem. Not really sure how to fix this, although at the moment "stay with TLS classic" seems to be the preferred option. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
