Eric Rescorla <[email protected]> writes: >The TLS specification takes no position on when (1) clients should attempt >resumption and (2) servers should allow it.
The design however strongly discourages its use. Because of the way TLS 1.3 reinvented the whole protocol using extensions, you can't know in advance whether the server will allow a resumption or not as you do with TLS classic, which means you always need to send a pile of guessed keyexes in your client hello for when it doesn't, making it the same as a non-resumed client hello. Alternatively, you can not send the guessed keyexes and trigger the hello- retry dance, which with network delays is even more expensive than sending the guessed keyexes. So there's not much point to resumption to save effort as it was with TLS classic, you have to do most of the full-handshake crypto (or take the hello- retry hit) either way, and implementing resumption just adds even more complexity and attack surface. Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
