Re: [TLS] Padding extension and 0-RTT

David Benjamin <> Sun, 30 October 2016 19:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 34FA1129473 for <>; Sun, 30 Oct 2016 12:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UPMmkz-GMo_b for <>; Sun, 30 Oct 2016 12:52:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4B2F129408 for <>; Sun, 30 Oct 2016 12:52:32 -0700 (PDT)
Received: by with SMTP id 62so64614751oif.1 for <>; Sun, 30 Oct 2016 12:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=k9lgKDELG4AmlvzCztOyBC4GMCrqKFTxSJQNNUAH1Z0=; b=dJMASYBq3jI/VLUhXuH7plB+z6MZbEWwRk7CebHrfk+EnxhbVKPCc81PvJ99dupbwl yLNuL/sWn2vUEgqDSyChCy+JiEvg2Uja+ywYONG2KXC3ZePWh0iqikkG++quyo4ojXEh aouqD2p01YmR0dusPD+wuvSO9W+OeWeTfvTUM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=k9lgKDELG4AmlvzCztOyBC4GMCrqKFTxSJQNNUAH1Z0=; b=F9V4h26M9l66zi+xxSNXSU7Ff+4s492uC1edh6l+1dYGc8OEYKIzGaD4o7GtC0HSCG aaBE9w2i8FkiUK2OSY2R1frPDB5l/F0PaTHwAl1o6RG1Hc0Q2mQwb30eDPWcglYV/BR3 QBdqft8/xLB8hqyCfo2NtjCybTwIrmxQYdQmBC1biDdZR7EV42yCb2QNMLz/z27h9wk/ QhqqO3tBkYLXPApEwgVOekmM/wZUfBbheanBFHNnRmKP+pXl0UPQ5oTNguBCzn7lrJD9 XNtLj+GJdCrGrCJ7eSM5uFYaMo3i7irNRsmFjdDsnLcWSmZ397WPOWG9/+xVfHDC+gqv Cqdg==
X-Gm-Message-State: ABUngvcijwY7MwTyHnShI7NFmAseXUd8ag7sqfuDtLNIs5IfX4Xr5B7jJ93ZAmBGaajkZ2nYIs3fMJGTAn4q/USM
X-Received: by with SMTP id 18mr20561884iop.22.1477857152022; Sun, 30 Oct 2016 12:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: David Benjamin <>
Date: Sun, 30 Oct 2016 19:52:20 +0000
Message-ID: <>
To: Martin Thomson <>, "" <>
Content-Type: multipart/alternative; boundary="001a113ed64a938c4905401a6e6e"
Archived-At: <>
Subject: Re: [TLS] Padding extension and 0-RTT
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 30 Oct 2016 19:52:35 -0000

Sounds reasonable.

One concern is the F5 bug's failure mode was a timeout rather than an
error, so, if you take away padding, the allowance in C.3 will not save
heterogenous deployments where some servers do 1.3 and some are old F5
servers. But given we're talking about a straight-up server bug now, it
seems reasonable for a client to say, okay, I will try to account for
heterogenous 1.2 and 1.3 deployments because that's kinda operationally
tricky, but if you've got that F5 bug, please fix it already.


On Sun, Oct 30, 2016 at 6:03 AM Martin Thomson <>

(Trivial optimization warning)

Just perusing my draft and noticed that NSS pads a 0-RTT handshake,
which is not that surprising given that it's fairly beefy (it will get
even larger in -18).  Since a 0-RTT handshake will break servers that
don't at least superficially understand TLS 1.3, maybe we could avoid
pading in this case.  Is there any reason we shouldn't include that
advice in the draft?

TLS mailing list