Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't send session tickets when client authentication is being used #191

Open
kazuho opened this issue Nov 29, 2018 · 2 comments
Open

Don't send session tickets when client authentication is being used #191

kazuho opened this issue Nov 29, 2018 · 2 comments

Comments

@kazuho
Copy link
Member

kazuho commented Nov 29, 2018

Two issues:

  • the ticket is never used, because resumption and client authentication are mutually exclusive features in picotls
  • the handshake transcript used for generating the ticket is in correct, because we send the ticket along with ServerFinished under the assumption that the only yet-to-be-seen messages are EOED and CF
@huitema
Copy link
Collaborator

huitema commented Feb 12, 2019

Of course, the best solution would be to actually support resumption with client auth, and carry the client-id in the ticket somehow. That way we could have client auth and zero-rtt...

@kazuho
Copy link
Member Author

kazuho commented Feb 12, 2019

I'm happy to look at a PR that actually implements that; IMO the basic approach would be to let the have a blob identifying the client in ptls_t. Applications would set the blob in the verify_sign callback. Picotls sends it in NST and also decodes it from a session ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kazuho @huitema