0-RTT

[mcarrickscott]

I am testing my TLS1.3 client against swifttls.org, in particular 0-RTT on session resumption. It works OK if I calculate the application keys based on a transcript hash taken over everything up to and including Server Finish. But it does not work if I include the end-of-early-data message in the transcript hash. My reading of the RFC would indicate that it should be included?

[nsc]

You are right. I am reading the RFC the same way. Thanks for bringing this up. I was aware that early data wasn't working correctly, but hadn't found a good way to debug this. All test installations of TLS 1.3 servers I have tried didn't support early data.
I am currently looking into this.
Thanks again.

[mcarrickscott]

Actually I am having some second thoughts! Figure 4 in the RFC shows [Application data] being sent from the Server to the Client (presumably in response to the early data sent from Client to Server), just before the client sends (EndOfEarlyData) from Client to Server. Now the square brackets around [Application Data] indicate that it is encrypted using keys derived from the application traffic secret. But this secret requires the transcript hash. Which means that EndOfEarlyData cannot be included in that hash as it hasn't been sent yet. Its all very confusing... Mike

…

On Sun, Jan 17, 2021 at 9:54 PM Nico Schmidt ***@***.***> wrote: You are right. I am reading the RFC the same way. Thanks for bringing this up. I was aware that early data wasn't working correctly, but hadn't found a good way to debug this. All test installations of TLS 1.3 servers I have tried didn't support early data. I am currently looking into this. Thanks again. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDUUMLRSCHQ3QGSOC73S2NMAPANCNFSM4WGCVFXA> .

[nsc]

Right. My current interpretation is that the server and the client application traffic secrets are created at different points in the handshake. That means the server transcript hash does not have the end-of-early-data message in its hash, while the client does.
That is what I am trying right now.

[nsc]

No, that was not right. On page 92 of the RFC it says both the client and the server application traffic secret are including all handshake messages up to the server finished.
I am currently testing with Firefox, because it is using early data, and it seems to work fine.

[nsc]

I have now enabled the test server to send early data responses. I think the early data handling is working correctly. Maybe you want to have a try with your client.

[mcarrickscott]

Hello Nico, Yes! that works fine. My client first does a handshake retry (as you don't do X25519?), and then tries a session resumption with early data. And the server responds to that early data. Thanks for doing that, it is not easy to debug a tls1.3 client.. Here is the debug output of my program (its a bit big, feel free to delete this message if you want) Mike Hostname= swifttls.org ip= 109.74.204.5 Private key= 0x0170a7e6c297fc8026ae8072c62596273bfa792879716e3d9f9c518384efae97 Client Public key= 0x402a2d7a1ca22eac2a3ab843c7a12a12343e85ce545c190a50fe8b5a1dc4ec15 Client to Server -> 16030100bf010000bb0303b39355382dcd121e82437b9e0f1072f0f3698fba2281672931b0a94be2653be7200403f3756202316ccebcb64486be4f0d84d1c62e14b21ad9d9f19560265e4b430004130113020100006e00000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300260024001d0020402a2d7a1ca22eac2a3ab843c7a12a12343e85ce545c190a50fe8b5a1dc4ec15002d00020101002b0003020304 Client Hello sent Server Random= cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c Handshake Retry request! Cipher suite= 1301 tls version= 0304 Key Share = 0017 Server HelloRetryRequest= 88 020000540303cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c200403f3756202316ccebcb64486be4f0d84d1c62e14b21ad9d9f19560265e4b43130100000c002b00020304003300020017 Client to Server -> 16030300e0010000dc0303a53891fa90aeac927e3686c11ffdcc643c56f116720d91e8af32b1cf245c538220ccf155d37563cf2191541e022a2c06ad8c80728d71bf3b30c9ce0eb34e26e1920004130113020100008f00000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300470045001700410425f14ba23afb40bbccabcf620ac7c285fd41d0f210910162fb64d09e52c122fc7130a2deea33293770c637199f4edea075057b1e7acef45462d0d8a566b1fed3002d00020101002b0003020304 Server Random= 25b719a5c29b7d78cfc7bf9ec6e17cdb1cc8e30e7ec9c771c4db0fd8c7bb5a7e Cipher suite= 1301 Key Share = 0017 Server Public Key= 04c00a53ca002cfed1d72c727800da9497d34ac44bee21543fed03425137c7929666ce15c3f74fef4a8de949fb969cd12068f68cc87426ea45a22373ed71a55df3 tls version= 0304 Server Hello= 155 02000097030325b719a5c29b7d78cfc7bf9ec6e17cdb1cc8e30e7ec9c771c4db0fd8c7bb5a7e20ccf155d37563cf2191541e022a2c06ad8c80728d71bf3b30c9ce0eb34e26e192130100004f003300450017004104c00a53ca002cfed1d72c727800da9497d34ac44bee21543fed03425137c7929666ce15c3f74fef4a8de949fb969cd12068f68cc87426ea45a22373ed71a55df3002b00020304 SECP256R1 Key Exchange Shared Secret= 8036b974c2bcf5130db585ad55c3f66aa83785c9775e22bdcdf3332d34ec1dc0 Handshake Secret= da45dee93ee938d89a2dddfbd40bfbc88cf909bd8641c6e508829f57794f2eae Client handshake traffic secret= cba5cb38a4d397bae7213b195363f22ebec56ae0408e4a2b9df823f6c2760473 Server handshake traffic secret= 1131f1572fe474c7e636223a7a169d79c771f9bbb3c28a8a7f5bcfe3fc49ee19 Server fragment authenticates 19 12 padding bytes removed Length of Encrypted Extension= 0 Server fragment authenticates 2570 12 padding bytes removed 1. Transcript Hash= b67be3f4f3afc7e0073d299e9cf45ad2fa81e3bad96cfde4d2096b3ec0072c4f Server certificate Signature is 4384d802a2bef1d6c17cce6d89996421015bc7dce12ee85dac5868ffc21d537f062fbb8e6fba1f4a5838ec3125f0941403baf420f3aa50ff2725ea90a7d8686c569827bb1d5cb2262732d7edf1e8f8f6676c861fee8de070396a6cfe644566fc339d18c8ef08eb83b739ddddd08a8c31bc6630e7be9a069b374c925a061cb094ad25ad1053ea6f6db32b08a7282904cbc793fc595948927fb89d4b8f22d5d58346e5739033d3e103d9ea5dd97a43a3317f526b0b4191d5359411574fb03453c8535a3714d6f1aa2e802c56370aa294396b63ac4927999e745c66547960dfd9cecb7f440003149f23c6e1fd1869d4e243aa7ad645a2af4bba2507bac6efa47378 RSA signature of length 2048 Public key= 256 c31a51649a342aeccaf7dd9475d01a634fb482990d1326ff301ff1fdd0afff5c781355c01bd47899299b74c598be6d9f53edab93ca4e377bcc9965334a54b6637978f22ccdb9844e5e2e9ae78b748c467c9650f265b6ecbd8519f5e8dcf872fe36eb013fbee548ca41369f8fc28e93c086bfe043e6458c8fadb881867dc002efe008a329522e16c6f8e465288b038d8b42dbd084e4345f3b6262203e3a4d46f38232644167f3ecdf587b53986ea75826a6a92509da3e04d409d7fca7acbc51ae66265bac960b3d2b808c3f88812de85f3fff95aa86e725a369356374797a432ca92235b50f4966d5ec9da61e7c9f2827d3ee049de45897548e19f6b390d40e2d RSA public key of length 2048 Issuer is Let's Encrypt Authority X3 Subject is swifttls.org st.curve= 2048 SIG= 256 4384d802a2bef1d6c17cce6d89996421015bc7dce12ee85dac5868ffc21d537f062fbb8e6fba1f4a5838ec3125f0941403baf420f3aa50ff2725ea90a7d8686c569827bb1d5cb2262732d7edf1e8f8f6676c861fee8de070396a6cfe644566fc339d18c8ef08eb83b739ddddd08a8c31bc6630e7be9a069b374c925a061cb094ad25ad1053ea6f6db32b08a7282904cbc793fc595948927fb89d4b8f22d5d58346e5739033d3e103d9ea5dd97a43a3317f526b0b4191d5359411574fb03453c8535a3714d6f1aa2e802c56370aa294396b63ac4927999e745c66547960dfd9cecb7f440003149f23c6e1fd1869d4e243aa7ad645a2af4bba2507bac6efa47378 RSA PUBLIC KEY= 256 9cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc393 Checking RSA Signature on Cert 32 RSA Signature/Verification succeeded Intermediate Certificate Chain sig is OK Intermediate Certificate Signature is dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 RSA signature of length 2048 Public key= 256 9cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc393 RSA public key of length 2048 Issuer is DST Root CA X3 Subject is Let's Encrypt Authority X3 Public Key from root CA cert= dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d st.curve= 2048 SIG= 256 dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 RSA PUBLIC KEY= 256 dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d Checking RSA Signature on Cert 32 RSA Signature/Verification succeeded Root Certificate sig is OK!!!! Certificate Chain is valid Server fragment authenticates 277 12 padding bytes removed 2. Transcript Hash= 4066ae522e25e1f3390035572764a45c915bc91d9160c54ee207e074dbfecd2b Signature Algorithm= 0804 Server Certificate Signature= 256 088f09c7f83826d0bbd5f22d101d5b7afb6dd0de4f055aad59339837bd59d0b8d25d9c028d94d27e002c187d39abd25f5975048c58303516e6000e7072a57184db619ed10d4499afc323183d6d3f61bea3b04d2eb911b24a0316d189b476935c8b23f70c48b1eb023f49e2567070510683391b027274c287969aee5b22aed5beca310411def6dc3f6c90f2bba3523ac64f5cd1333fb76f0a14ccb360c6ff09ce2b5bde17e1ab5439249119a7a12bf3580d74c8be44c643e29c713cb162edd7b80c44c9c62cae6e3337ae4dd1eafab891f60fba0ef9aa800b1dd72767dade21a2fb5793406325ba5c508361985baef8caa1931e304f37c7d8cf333adc4e6dcc3c Server Cert Verification OK Server fragment authenticates 49 12 padding bytes removed 3. Transcript Hash= a0630db59fb4293004025289f57c5a962e84011fa37586d6a48fb382b4ac4ba5 Server Data is verified Client Verify Data= b820d6c371057bfa7614be2b3e1a81715b224e399ba06e2d17e1b8299ca365d5 Client to Server -> 170303003583892348b3e61be337bcf591045e4bda4211e7b776fb5eca881b94eda44b4a07968a5ef1808d0c2e6f7095826a0709d7e7275688a1 Client application traffic secret= 60fc7bb14ccc33d606a17070310c36c7a12740c1402b174acfc82eac8c89ae42 Server application traffic secret= 1c5107e3696b9bf963b9536f8969d6975b06a7d14ac867ca441bc41b89c34af3 Sending Application Message GET / HTTP/1.1 Host: swifttls.org Client to Server -> 1703030037b9439dae723e8424b35a3bdcfec7eb591c91e13c93ec79857de56a7c0c23cce1cc0f03eb6dce3e5b6ef4073b590c275289cb7b6ba152b1 Waiting for Server input Server fragment authenticates 71 12 padding bytes removed Got a ticket Waiting for Server input Server fragment authenticates 439 12 padding bytes removed Application data (truncated HTML) = 485454502f312e3120323030204f4b0d0a5365727665723a205377696674544c530d0a5374726963 Waiting for Server input TIMEOUT Connection closed Connection re-opened - attempting resumption Ticket= 00000e106744dbcb010000200abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a870008002a00040000a000 Ticket details life time t= 60 minutes Age obfuscator = 6744dbcb Nonce = 00 Ticket = 32 0abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a87 max_early_data = 262144 PSK= 5fb6ba90e449a650708808bbbab2c74ce98b38466f5ceade2e116b06d1d931dc Binder Key= 32 829d4638e61c08b104d0b719c3facfc4fe6b86fb6a593a94428d770811ed4c2c Early Secret= 1e25202ad4fd112ddcd1e26a111ed364750008dcf4212964c10e840d546221c4 Private key= 0x029c2115657b5a952f19832b3219c1c5a7a97837c05c25609de1396e36984a4e Client Public key= 0x0438ecb199120283ec3b042a1ab73809f16c70ab1ce847de1820c0e9e3cb1a1c5a53db00dd1a437ad179658a323046290c483090cbedffac78aa983ab2d760ccfb Ticket age= 5114 obfuscated age = 6744efc5 Client to Server -> 16030301100100012f030390e07db6edc69224d4e994fd35a599c770f669d39e13a35535c7117db12a322b20a22864e5d2dfe705e4dc243ad226de8a40f9177bd18487e29b82420a692bd594000413011302010000e200000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300470045001700410438ecb199120283ec3b042a1ab73809f16c70ab1ce847de1820c0e9e3cb1a1c5a53db00dd1a437ad179658a323046290c483090cbedffac78aa983ab2d760ccfb002d00020101002b0003020304002a00000029004b002600200abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a876744efc5 Truncated Client Hello sent BND= 31a541997912f40cc9fe8f49025c502703c5b4d696157170131f1769d3eb6cce Sending Binders Client to Server -> 160303002300212031a541997912f40cc9fe8f49025c502703c5b4d696157170131f1769d3eb6cce Client Early Traffic Secret= 97e8449a134b83da2b0bdb0a707e94863c77c1c5e5d875658dd93dbf66b49cc6 Sending some early data Sending Application Message GET / HTTP/1.1 Host: swifttls.org Early-Data: 1 Client to Server -> 1703030046172444fd421667c98331214406aa92aab2aa0881b0ed3f6d6cd8efac39d934916becf0484583d6be2a77ddb7ab8b4b0efa999de3d7403caa1f4606138f466f8b6f29c478ee09 Server Random= 25b719ab8881259c48a8a3daa286c670af6136f8c8f349ee6e4921eaf24c7159 Cipher suite= 1301 Key Share = 0017 Server Public Key= 04dcada67f3bd198125448491ea968e62780f57b3958ac4b83e6660889ffb7a5f72471125886cef75e7a9bda115d24c9dfcf4bb13dae86bd16421f7746b43898c5 tls version= 0304 PSK ID= 0 serverHello= 161 0 0200009d030325b719ab8881259c48a8a3daa286c670af6136f8c8f349ee6e4921eaf24c715920a22864e5d2dfe705e4dc243ad226de8a40f9177bd18487e29b82420a692bd5941301000055003300450017004104dcada67f3bd198125448491ea968e62780f57b3958ac4b83e6660889ffb7a5f72471125886cef75e7a9bda115d24c9dfcf4bb13dae86bd16421f7746b43898c5002b00020304002900020000 SECP256R1 Key Exchange Shared Secret= c21695de18de72e4fe594ee2181eba8154e0fff1b174923419689a0b9ca125bf Handshake Secret= df4661dab16a7fc1196c36d5b5fe0401fd0172c155cf2d9792a323217a92063c Client handshake traffic secret= 60be4bc5d462a698ac6ed5a945475be82031d7bebddb8d42f319097220206343 Server handshake traffic secret= 9d49d960ec385693dfdf4d88d3694860d7c5ea470fccc546ebb93723302cce70 Server fragment authenticates 23 12 padding bytes removed Length of Encrypted Extension= 4 Early Data Accepted 2. Transcript Hash= d8233d93154ccedae45361a21acac29d6a244725da4cae02fc144dc0e0f2f07d Server fragment authenticates 49 12 padding bytes removed SR.len= 0 Send End of Early Data Client to Server -> 1703030015d38f7638b857d65b4d9effa317871ae933287f46e6 3. Transcript Hash= 9045833c8871f10c44b57bcf910f06848a6096c0d239fb58b4b2f143654b2c75 Server Data is verified Client Verify Data= 769d0ef3c6f22489319170b2c94aada4ae95aa34b2c88bb66c9ced47714c1d01 Client to Server -> 170303003504ea1fea838213f765597c5a571b099e4d48aeefdee74a412af4e8278825d74d08ac28a118d55168f35d2a6efd9d78038ed56287d1 Client application traffic secret= f62386365f4f06dc25d218b7aa86f6b58fc6346742c4bfd6ce108eaa9fcba925 Server application traffic secret= 42cd9298d5d384e1297ee33e12e04601ca6f8eb022d98ec23446d97bb0658243 Waiting for Server input Server fragment authenticates 740 12 padding bytes removed Application data (truncated HTML) = 485454502f312e3120323030204f4b0d0a5365727665723a205377696674544c530d0a5374726963 <-- Response to Early Data!!! Waiting for Server input Server fragment authenticates 71 12 padding bytes removed Got a ticket Waiting for Server input TIMEOUT

…

On Tue, Jan 19, 2021 at 1:14 PM Nico Schmidt ***@***.***> wrote: I have now enabled the test server to send early data responses. I think the early data handling is working correctly. Maybe you want to have a try with your client. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDRBVMZKWPDEXNXRQELS2WASTANCNFSM4WGCVFXA> .

[nsc]

Hi Mike,
yes, I am currently not supporting X25519, but the good thing is, that this triggers the HelloRetry :-)

I guess this is the log from your request (the only one with early data):
2021-01-19 13:44:05.554 (~427): Connection from 86.44.157.108
2021-01-19 13:44:05.557 (~427): Curve: x25519
2021-01-19 13:44:05.557 (~427): Supported Cipher Suites:
2021-01-19 13:44:05.557 (~427): TLS_AES_128_GCM_SHA256
2021-01-19 13:44:05.557 (~427): TLS_AES_256_GCM_SHA384
2021-01-19 13:44:05.557 (~427): Selected cipher suite is TLS_AES_128_GCM_SHA256
2021-01-19 13:44:05.557 (~427): Server: did receive message ClientHello
2021-01-19 13:44:05.557 (~427): Server: did send message HelloRetryRequest
2021-01-19 13:44:05.805 (~427): Curve: secp256r1
2021-01-19 13:44:05.805 (~427): Supported Cipher Suites:
2021-01-19 13:44:05.805 (~427): TLS_AES_128_GCM_SHA256
2021-01-19 13:44:05.805 (~427): TLS_AES_256_GCM_SHA384
2021-01-19 13:44:05.805 (~427): Selected cipher suite is TLS_AES_128_GCM_SHA256
2021-01-19 13:44:05.805 (~427): Server: did receive message ClientHello
2021-01-19 13:44:06.412 (~427): Server: did send message ServerHello
2021-01-19 13:44:06.412 (~427): Server: did send message EncryptedExtensions
2021-01-19 13:44:06.413 (~427): Server: did send message Certificate
2021-01-19 13:44:06.616 (~427): Server: did send message CertificateVerify
2021-01-19 13:44:06.616 (~427): Server: did send message Finished
2021-01-19 13:44:06.617 (~427): Server: activate server traffic secret
2021-01-19 13:44:06.642 (~427): Server: Activate client traffic secret
2021-01-19 13:44:06.642 (~427): Server: did receive message Finished
2021-01-19 13:44:06.643 (~427): Server: did send message NewSessionTicket
2021-01-19 13:44:06.675 (~427): TLS Version: TLS v1.3
Cipher: TLS_AES_128_GCM_SHA256

Client Request:
GET / HTTP/1.1
Host: swifttls.org

2021-01-19 13:44:11.766 (~427): Error: Socket Closed
2021-01-19 13:44:11.786 (~428): Connection from 86.44.157.108
2021-01-19 13:44:11.809 (~428): Curve: secp256r1
2021-01-19 13:44:11.810 (~428): Supported Cipher Suites:
2021-01-19 13:44:11.810 (~428): TLS_AES_128_GCM_SHA256
2021-01-19 13:44:11.810 (~428): TLS_AES_256_GCM_SHA384
2021-01-19 13:44:11.810 (~428): Selected cipher suite is TLS_AES_128_GCM_SHA256
2021-01-19 13:44:11.810 (~428): Server ticket age : 5167
2021-01-19 13:44:11.810 (~428): Client ticket age : 5114
2021-01-19 13:44:11.810 (~428): ticket hash algorithm : sha256
2021-01-19 13:44:11.810 (~428): Choose ticket [10, 190, 26, 84, 100, 68, 166, 90, 20, 199, 131, 6, 146, 250, 227, 235, 206, 41, 155, 198, 72, 103, 189, 81, 38, 122, 255, 51, 124, 169, 42, 135]
2021-01-19 13:44:11.810 (~428): Server: did receive message ClientHello
2021-01-19 13:44:12.404 (~428): Server: did send message ServerHello
2021-01-19 13:44:12.405 (~428): Server: did send message EncryptedExtensions
2021-01-19 13:44:12.405 (~428): Server: did send message Finished
2021-01-19 13:44:12.405 (~428): Server: activate server traffic secret
2021-01-19 13:44:12.405 (~428): Server: activate early traffic secret
2021-01-19 13:44:12.405 (~428): Server: did receive early data: Optional(SwiftTLS.TLSApplicationData)
2021-01-19 13:44:12.406 (~428): TLS Version: TLS v1.3
Cipher: TLS_AES_128_GCM_SHA256
Ticket:

serverNames: ["swifttls.org"]
identity: 0a be 1a 54 64 44 a6 5a 14 c7 83 06 92 fa e3 eb
ce 29 9b c6 48 67 bd 51 26 7a ff 33 7c a9 2a 87
nonce: 00
lifeTime: 3600
ageAdd: 1732565963
cipherSuite: TLS_AES_128_GCM_SHA256
hashAlgorithm sha256

Client Request:
GET / HTTP/1.1
Host: swifttls.org
Early-Data: 1

2021-01-19 13:44:12.407 (~428): Server: sending 727 bytes of early data
2021-01-19 13:44:12.423 (~428): Server: did receive early data: Optional(SwiftTLS.TLS1_3.TLSEndOfEarlyData)
2021-01-19 13:44:12.440 (~428): Server: Activate client traffic secret
2021-01-19 13:44:12.440 (~428): Server: did receive message Finished
2021-01-19 13:44:12.440 (~428): Server: did send message NewSessionTicket

[nsc]

it is not easy to debug a tls1.3 client

:-) Tell me about it. Took me a long time, too. With the more subtle bugs, I had a working implementation running on the other end (like OpenSSL or something) and littered it with debug logs to see why it wasn't accepting my input.
Feel free to use my server locally :-)

[mcarrickscott]

Will do. Yours is the most developer-friendly implementation I have come across.. BTW if you want to consider an alternative Swift crypto library (that does do X25519!), check out https://github.com/miracl/core :) Mike

…

On Tue, Jan 19, 2021 at 8:24 PM Nico Schmidt ***@***.***> wrote: it is not easy to debug a tls1.3 client :-) Tell me about it. Took me a long time, too. With the more subtle bugs, I had a working implementation running on the other end (like OpenSSL or something) and littered it with debug logs to see why it wasn't accepting my input. Feel free to use my server locally :-) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDRGNRVECMWWSEBUAS3S2XS7TANCNFSM4WGCVFXA> .

[nsc]

Will do. Yours is the most developer-friendly implementation I have come
across.

Thanks. It is nice to hear that it is useful to you :-)

check out https://github.com/miracl/core

Cool, I will take a look.