Re: [TLS] TLS 1.3 and TCP interactions

Nico Williams <> Fri, 29 May 2020 23:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B2BB3A11BE for <>; Fri, 29 May 2020 16:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8wJfMmk1XO2I for <>; Fri, 29 May 2020 16:28:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EED9D3A11BD for <>; Fri, 29 May 2020 16:28:27 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 14D9B360B6A; Fri, 29 May 2020 23:28:27 +0000 (UTC)
Received: from (100-96-137-10.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 66F75360922; Fri, 29 May 2020 23:28:26 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.8); Fri, 29 May 2020 23:28:26 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Chief-Whistle: 1e49fddb710e3226_1590794906675_3735018758
X-MC-Loop-Signature: 1590794906675:942159931
X-MC-Ingress-Time: 1590794906675
Received: from (localhost []) by (Postfix) with ESMTP id 2ACDF95D5D; Fri, 29 May 2020 16:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=KK/O3vPf/ZA6Ho feRmw5IWSeauk=; b=YwZtEBv+CBS5l+Jc2K7eIY6CCFMlj9b3dPx1SkDEEgqjpO crBMHcn6701FhNcCpH1wo9wHCDNIY2GxpGPEJhObfa/1bKjaiupDfUA0x/E2zq/w HLH2yXhDw2mWAdIYusu1NKZO92P+ygLsqQ0BkjqpikwVjVBrfT+Vh6cOAAIho=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 0C2E095D60; Fri, 29 May 2020 16:28:24 -0700 (PDT)
Date: Fri, 29 May 2020 18:28:22 -0500
X-DH-BACKEND: pdx1-sub0-mail-a33
From: Nico Williams <>
To: Watson Ladd <>
Cc: David Benjamin <>, "<>" <>
Message-ID: <20200529232821.GO18021@localhost>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedruddvledgudelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucggtffrrghtthgvrhhnpefftdektefhueetveeigfefgeejteejvdfhhefgvddtfeeujeehleeguefhgffhgfenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <>
Subject: Re: [TLS] TLS 1.3 and TCP interactions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 May 2020 23:28:29 -0000

On Fri, May 29, 2020 at 06:35:58PM -0400, Watson Ladd wrote:
> In my experience the issues are thorniest when dealing with blocking
> sockets. Libraries using nonblocking sockets have to signal to the
> application that they want IO to happen during the handshake, and can
> use that same mechanism at later times, particularly for rekeying.
> Libraries with blocking behavior are unfortunately in a difficult
> position if they imitate a POSIX API and have no means to drive I/O.
> One possible dirty trick is to set nonblocking on an owned socket and
> translate the blocking call into a select or poll based loop that
> issues both writes and reads until enough is read or written. Note
> that the real corner case is unanticipated needs to read from the
> socket: the library has control when it needs to write.


Another is to start a worker thread to do all (async) I/O on the
connection and use inter-thread communications primitives on the
blocking I/O API side.  Because the worker thread needs to do async I/O
anyways, it might as well service multiple connections to reduce the
amount of resources needed for the whole thing.