Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Receiving ACKs for 0-RTT #3855

Closed
ekr opened this issue Jul 8, 2020 · 4 comments · Fixed by #3868 or #3914
Closed

Receiving ACKs for 0-RTT #3855

ekr opened this issue Jul 8, 2020 · 4 comments · Fixed by #3868 or #3914
Assignees
@kazuho @huitema
Labels
-transport editorial An issue that does not affect the design of the protocol; does not require consensus.
Projects
Late Stage Processing

Comments

@ekr
Copy link
Collaborator

ekr commented Jul 8, 2020

A client only receives acknowledgments for its 0-RTT packets once the handshake
is complete. Consequently, a server might expect 0-RTT packets to start with a

However, this is not necessarily strictly true, because you might have the ACKs in 0.5RTT. Now you might say that the TLS stack reports the handshake as complete as soon as it receives Finished but that's an implementation detail
@martinthomson
Copy link
Member

I think that this is true. The server can send before then, but we require that the client not install 1-RTT keys until it considers the handshake complete.

@marten-seemann
Copy link
Contributor

we require that the client not install 1-RTT keys until it considers the handshake complete.

That's not entirely true. It's the server that needs to hold back keys (namely, the 1-RTT read key) until the handshake completes. The client can use keys as soon as they become available.

@kazuho
Copy link
Member

kazuho commented Jul 8, 2020

I think @martinthomson is correct in sense that the following three events happen at the same moment on the client side:

  • handshake is declared complete
  • TLS stack provides the 1-RTT read and write keys
  • TLS stack provides ClientFinished

@huitema
Copy link
Contributor

huitema commented Jul 8, 2020

Martin is correct. There are two different forms of handshake completion: complete when 1rtt can be sent and received, confirmed when the peer is known to be complete. The client cannot receive 0rtt acks before installing 1rtt keys, hence before hanshake is complete.

@martinthomson martinthomson added -transport editorial An issue that does not affect the design of the protocol; does not require consensus. labels Jul 8, 2020
martinthomson added a commit that referenced this issue Jul 8, 2020
@martinthomson
Prohibit reading 1-RTT before handshake complete
415ae76 
This was never explicit for the client as it is usually not possible.

Closes #3855 in a way that perhaps was not anticipated.
@martinthomson martinthomson mentioned this issue Jul 8, 2020
Merged
@larseggert larseggert added this to Triage in Late Stage Processing via automation Jul 8, 2020
@mnot mnot moved this from Triage to Editorial Issues in Late Stage Processing Jul 9, 2020
@huitema huitema mentioned this issue Jul 16, 2020
Merged
@martinthomson martinthomson linked a pull request Jul 16, 2020 that will close this issue
Acks for 0rtt only after Handshake Complete as in Quic-TLS 4.1.1 #3914
Merged
Late Stage Processing automation moved this from Editorial Issues to Issue Handled Jul 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kazuho kazuho

@huitema huitema

Labels
-transport editorial An issue that does not affect the design of the protocol; does not require consensus.
Projects
Late Stage Processing
  
Issue Handled
Milestone
No milestone
5 participants
@kazuho @martinthomson @ekr @marten-seemann @huitema