-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for other inputs than packets #3873
Comments
Q: Does this indicate that the TLS changes involved in #3821 may be editorial? I'd like to focus on the transport and recovery changes to deal with the issue, and it'd be nice if the tls changes were separate from my perspective. |
Why isn't #3874 adequate for this? Specifically, isn't it enough to change the stance from synchronous to asynchronous? |
I would prefer to explain how certificate validation can take time and block availability of keys. |
This clarifies the TLS interface by explaining that TLS only generates outputs (handshake bytes or keying material) in response to inputs. Previously, the only inputs we acknowledged were the handshake bytes, but this recognizes two more: the signal from the client to start handshaking, and - for async validation - a signal that a certificate is OK or not. Closes #3873.
Should this become proposal-ready? |
@larseggert : This is an editorial issue, so no. |
The process for interacting with TLS does not acknowledge the possibility that progress in the handshake might depend on inputs other than CRYPTO frames. In particular, endpoints might need to perform additional checking to decide that the TLS handshake is complete. The most important example being the processing that occurs for certificate validation. This is often an asynchronous process, with OCSP and other muck, so recognizing that explicitly in the draft is worthwhile.
This might help tease out one of the causes of the problem discussed in #3821, but it doesn't lead to a solution.
The text was updated successfully, but these errors were encountered: