Eric Rescorla <[email protected]> writes: >In both TLS 1.2 and TLS 1.3, it is not possible for the client to know prior >to the connection whether the server will allow a resumption or not at the >time you send the ClientHello. In either case, the server can always proceed >to a full handshake.
Right, but in TLS classic the client doesn't need to do any PKC crypto for its client hello if it's hoping for a resume while in TLS 1.3 it needs to do the same amount of client hello PKC crypto as a non-resumed connection (or take the hello-retry hit if it guesses wrong about the server allowing a resume). So there's little benefit to the client apart from avoiding the second half of the (EC)DHE and possibly sig check (thus "most of the full-handshake crypto") compared to TLS classic where there's no PKC crypto needed at all. Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
