RFC Errata
RFC 5077, "Transport Layer Security (TLS) Session Resumption without Server-Side State", January 2008
Note: This RFC has been obsoleted by RFC 8446
Note: This RFC has been updated by RFC 8447
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 4800
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Joseph Birr-Pixton
Date Reported: 2016-09-10
Section 4 says:
struct { uint32 ticket_lifetime_hint; opaque ticket<0..2^16-1>; } NewSessionTicket; (...) The ticket is structured as follows: struct { opaque key_name[16]; opaque iv[16]; opaque encrypted_state<0..2^16-1>; opaque mac[32]; } ticket; (...) struct { ProtocolVersion protocol_version; CipherSuite cipher_suite; CompressionMethod compression_method; opaque master_secret[48]; ClientIdentity client_identity; uint32 timestamp; } StatePlaintext; enum { anonymous(0), certificate_based(1), psk(2) } ClientAuthenticationType; struct { ClientAuthenticationType client_authentication_type; select (ClientAuthenticationType) { case anonymous: struct {}; case certificate_based: ASN.1Cert certificate_list<0..2^24-1>; case psk: opaque psk_identity<0..2^16-1>; /* from [RFC4279] */ }; } ClientIdentity;
Notes:
The ticket construction recommended in section 4 appears to be unimplementable in two respects:
1. Tickets are up to 2^16-1 bytes in length, given they appear in both the client hello extension and the NewSessionTicket handshake message. The recommended format defines a ticket of up to 16+16+32+2+2^16-1 bytes in length. This does not fit.
2. The recommended format allows for up to 2^16-1 bytes of state plaintext in the encrypted_state field. The suggested StatePlaintext is up to 2+2+1+48+1+4+3+2^24-1 bytes in length. This does not fit.