case TLS_ST_SW_SESSION_TICKET:
if (SSL_IS_TLS13(s)) {
/*
* Actually this is the end of the handshake, but we're going
* straight into writing the session ticket out. So we finish off
* the handshake, but keep the various buffers active.
*/
/***************************End time stamp*****************************************************/
struct timespec end;
clock_gettime(CLOCK_MONOTONIC_RAW, &end);
uint64_t tempTimeEnd = end.tv_nsec / 1000;
printf("Handshake End time : %llu \n", tempTimeEnd);
return tls_finish_handshake(s, wst, 0);
} if (SSL_IS_DTLS(s)) {
/*
* We're into the last flight. We don't retransmit the last flight
* unless we need to, so we don't use the timer
*/
st->use_timer = 0;
}
Thanks
BR,
Neetish
On 06/16/2017 05:36 PM, Matt Caswell wrote:
The security properties of such "external" PSKs are substantially different than the "ephemeral" PSKs used in resumption flows.Ben - Even external PSKs incorporate an ephemeral, per connection, ECDHE based secret (assuming a suitable kex_mode is used). What do you see as the concern?
The risk of accidentally using psk_ke instead of psk_dhe_ke is noticeable, and in terms of concrete differences, there are additional requirements on external PSKs that the KDF and PSK identity must remain fixed across uses. That, combined with the potential for insufficient entropy during key generation (mentioned in section 2.2 of draft-20) seem to provide more openings for cryptographic attacks than for the full resumption flow. It is probably fine for uses where the other properties of external PSKs are needed, but I'm not sure that the risk/reward balance favors using it just to get a speedup -- TLS 1.3 resumption should already be pretty fast.
-Ben
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
