On Sun, Jan 4, 2026 at 6:59 PM Peter Gutmann <[email protected]> wrote:
> Eric Rescorla <[email protected]> writes: > > >In both TLS 1.2 and TLS 1.3, it is not possible for the client to know > prior > >to the connection whether the server will allow a resumption or not at the > >time you send the ClientHello. In either case, the server can always > proceed > >to a full handshake. > > Right, but in TLS classic the client doesn't need to do any PKC crypto for > its > client hello if it's hoping for a resume while in TLS 1.3 it needs to do > the > same amount of client hello PKC crypto as a non-resumed connection (or take > the hello-retry hit if it guesses wrong about the server allowing a > resume). > Yes, I agree with this. However, it also takes a full round trip to learn that the server will resume. If (1) you are doing false start and (2) in the application protocol the client speaks first, then you can piggyback the client's first flight of data with the key establishment messages, so you don't absorb the round trip. However, if these aren't true, then the the client has to wait 2RTT to transmit, which is the same cost you would absorb for HRR. So there's little benefit to the client apart from avoiding the second half > of > the (EC)DHE and possibly sig check (thus "most of the full-handshake > crypto") > compared to TLS classic where there's no PKC crypto needed at all. > Well, yes, apart from those costs, but those costs are nontrivial [1]. Here are some measurements [0] of the cost of resumption (using X25519, not pure PSK) versus full handshakes, from rustls. As you can see, resumption is still quite a bit faster than the full handshake. I do agree with you that the difference is not as dramatic as if you are doing pure PSK resumption, which is the sole option with TLS 1.2, and that if you want pure PSK resumption, then the cost of generating the KeyShare in case the server will not resume is nontrivial. -Ekr [0] https://rustls.dev/perf/2024-12-17-pq-kx/ [1] I'm not sure why you say "possible sig check". In TLS 1.3, you have to pay the check for the server signature on each full handshake. This ignores the certificate checks, which may be cacheable if the server uses the same certificate.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
