Allow sending NEW_TOKEN frames before TLS NewSessionTickets #54
Comments
John-Athan
changed the title
|
Thank you very much for the details. Yes, this is a bug. A client should correctly handle the case where tokens arrive before session tickets. Because tokens are one-time use, as you said, copying existing tokens from old entry to new entry is definitely the right thing to do. In addition, the fix should also handle cases where token arrives and there is no entry (either because this is new session or old session only contains one ticket and has been used for resumption). If you can write the patch, we are more than happy to review it (and patch it in). Please follow https://github.com/google/quiche/blob/main/CONTRIBUTING.md Again, thank you very much for the great catch! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue was originally opened in the quic-go repository.
Currently, it is not possible to make use of QUIC's address validation tokens if the server sends the NEW_TOKEN frame before sending the crypto frame containing the TLS NewSessionTicket. The address validation token gets stored, then thrown away.
It currently works as follows:
Is the described behavior on purpose or is it a bug?
AFAIK, a client should be able to use tokens independent of the TLS session ticket.
If this is a bug, maybe it would make sense to copy an existing address validation token from the existing cache entry into the new cache entry for the same server ID before deleting the existing cache entry. Let me know if I should contribute this solution to the QUICHE project if the solution is fine.
The text was updated successfully, but these errors were encountered: