On Mon, 19 Jun 2017, Eric Rescorla wrote:
Also the consequences of being strict can be worse. Should a TLS connection fail if the nonce size for the
integrity algorithm is too weak?
Not to get too into the weeds, but this isn't a coherent question: In TLS 1.1 and TLS 1.2 [0]
the size of the nonce is associated with the cipher suite and it's encoded onto the wire
without framing. If the sender uses the wrong nonce size, you just get integrity failures.
Ok you caught me on a last minute IKE -> TLS word-smithing change :)
We did run into this in our IKE implementation when going through FIPS
validation. And it seemed no one care that our values were too small
to do SHA2_512.
Paul