RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Reported (1)

RFC 5077, "Transport Layer Security (TLS) Session Resumption without Server-Side State", January 2008

Note: This RFC has been obsoleted by RFC 8446

Note: This RFC has been updated by RFC 8447

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 4800
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Joseph Birr-Pixton
Date Reported: 2016-09-10

Section 4 says:

      struct {
          uint32 ticket_lifetime_hint;
          opaque ticket<0..2^16-1>;
      } NewSessionTicket;

(...)

   The ticket is structured as follows:

      struct {
          opaque key_name[16];
          opaque iv[16];
          opaque encrypted_state<0..2^16-1>;
          opaque mac[32];
      } ticket;

(...)

      struct {
          ProtocolVersion protocol_version;
          CipherSuite cipher_suite;
          CompressionMethod compression_method;
          opaque master_secret[48];
          ClientIdentity client_identity;
          uint32 timestamp;
      } StatePlaintext;

      enum {
         anonymous(0),
         certificate_based(1),
         psk(2)
     } ClientAuthenticationType;

      struct {
          ClientAuthenticationType client_authentication_type;
          select (ClientAuthenticationType) {
              case anonymous: struct {};
              case certificate_based:
                  ASN.1Cert certificate_list<0..2^24-1>;
              case psk:
                  opaque psk_identity<0..2^16-1>;   /* from [RFC4279] */
          };
       } ClientIdentity;

Notes:

The ticket construction recommended in section 4 appears to be unimplementable in two respects:

1. Tickets are up to 2^16-1 bytes in length, given they appear in both the client hello extension and the NewSessionTicket handshake message. The recommended format defines a ticket of up to 16+16+32+2+2^16-1 bytes in length. This does not fit.

2. The recommended format allows for up to 2^16-1 bytes of state plaintext in the encrypted_state field. The suggested StatePlaintext is up to 2+2+1+48+1+4+3+2^24-1 bytes in length. This does not fit.

Report New Errata



Advanced Search