Re: [TLS] Fwd: I-D Action:draft-bmoeller-tls-falsestart-00.txt

"Brian Smith" <> Fri, 04 June 2010 14:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E47E83A699A for <>; Fri, 4 Jun 2010 07:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.201
X-Spam-Status: No, score=0.201 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZfO7lOBBRv0p for <>; Fri, 4 Jun 2010 07:28:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D8A913A67F0 for <>; Fri, 4 Jun 2010 07:28:10 -0700 (PDT)
Received: from T60 (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id A3F0F509DF; Fri, 4 Jun 2010 10:27:50 -0400 (EDT)
From: "Brian Smith" <>
To: <>, <>
References: <> from "Michael D'Errico" at Jun 3, 10 10:31:36 am <>
In-Reply-To: <>
Date: Fri, 4 Jun 2010 09:27:51 -0500
Message-ID: <007601cb03f2$209c8a50$61d59ef0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGEXif2Lv6KEtD2FvrcmkTQEjIgbgI7vThvAbDZ+GA=
Content-Language: en-us
Subject: Re: [TLS] Fwd: I-D Action:draft-bmoeller-tls-falsestart-00.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Jun 2010 14:28:14 -0000

Martin Rex wrote:
> When TCP is used as the transport, I assume that sending the
> ChangeCipherSpec&Finished handshake message in a TCP segment seperate
> from the successor TLS application data record ("TCP Push") likely makes
> False Start clients interoperate with any TLS server implementation.

My prototype server implementation does not work with this mechanism. First,
my implementation always reads as much input as is available, up to its
buffer size, so any data after the client's Finished message will be read
into the buffer. Then, it will abort the connection if it sees anything
after the Finished message--mostly because it actually reuses the receive
buffer as its send buffer. Or, in other words, my implementation is
optimized for the fact that the initial TLS handshake is half-duplex. I
would be surprised if I was the only person to implement such an

Trying to separate the packets will do any good, as the server operating
system is just going to coalesce them anyway before the application can
process them. And, sending separate packets would be quite a pessimization
for the GRPS clients that would benefit the most from this extension.

> TLS implementations that work similar to OpenSSL, reading each record
> individually (header first, then the rest of the body) probably don't care
at all
> about network-level segments.

I think most implementations work similarly to OpenSSL in that respect,
especially if they support renegotiation; in renegotiation you can have
application data interleaved with the handshake messages so optimizations
like the ones described above do not work. Most implementations seem to use
the same logic for initial and renegotiated handshakes whenever possible.