)]}' { "commit": "c8b6b4fe4afbcd31b61007b1288de380c7f51b4c", "tree": "e5e09d3975f8e21763ca50c50387f6a40c9eef0b", "parents": [ "af56fbd62aa4e60b9085a9b390b9db30af5ebd1e" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Thu Sep 08 23:47:48 2016 -0400" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Wed Sep 21 21:18:34 2016 +0000" }, "message": "Only predict X25519 in TLS 1.3.\n\nWe\u0027d previously been assuming we\u0027d want to predict P-256 and X25519 but,\non reflection, that\u0027s nonsense. Although, today, P-256 is widespread and\nX25519 is less so, that\u0027s not the right question to ask. Those servers\nare all 1.2.\n\nThe right question is whether we believe enough servers will get to TLS\n1.3 before X25519 to justify wasting 64 bytes on all other connections.\nGiven that OpenSSL has already shipped X25519 and Microsoft was doing\ninterop testing on X25519 around when we were shipping it, I think the\nanswer is no.\n\nMoreover, if we are wrong, it will be easier to go from predicting one\ngroup to two rather than the inverse (provided we send a fake one with\nGREASE). I anticipate prediction-miss HelloRetryRequest logic across the\nTLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),\nso taking a group out of the predicted set will likely be a risky\noperation.\n\nOnly predicting one group also makes things a bit simpler. I haven\u0027t\ndone this here, but we\u0027ll be able to fold the 1.2 and 1.3 ecdh_ctx\u0027s\ntogether, even.\n\nChange-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3\nReviewed-on: https://boringssl-review.googlesource.com/10960\nReviewed-by: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nCQ-Verified: CQ bot account: commit-bot@chromium.org \u003ccommit-bot@chromium.org\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "f94156f781129f6fb983832dd6c7cd7aa1cca970", "old_mode": 33188, "old_path": "crypto/err/ssl.errordata", "new_id": "e19b347bfbd2682d05a741e503cd236507f14c45", "new_mode": 33188, "new_path": "crypto/err/ssl.errordata" }, { "type": "modify", "old_id": "d7e5add96f87f3d1256ed03864dcfbf7e7b2daab", "old_mode": 33188, "old_path": "include/openssl/ssl.h", "new_id": "d629b8f3af39b63f70954596d2bbde262a91347f", "new_mode": 33188, "new_path": "include/openssl/ssl.h" }, { "type": "modify", "old_id": "eff567236bc95fa0097a73d8d67433be1d72d7eb", "old_mode": 33188, "old_path": "ssl/internal.h", "new_id": "232364ee5227071f7c6a0b83c22b0118597ea67b", "new_mode": 33188, "new_path": "ssl/internal.h" }, { "type": "modify", "old_id": "e77e8ca6e9435aecc705cadf0818a280a97489c0", "old_mode": 33188, "old_path": "ssl/s3_both.c", "new_id": "52c93aa9f27c478411abab04bee26ff5e2901693", "new_mode": 33188, "new_path": "ssl/s3_both.c" }, { "type": "modify", "old_id": "32d959408f6fe6e319154c59cbf9c52468958bc4", "old_mode": 33188, "old_path": "ssl/t1_lib.c", "new_id": "81dbdc4bc89c33bb8cbab583e1f10a4c732bd2fc", "new_mode": 33188, "new_path": "ssl/t1_lib.c" }, { "type": "modify", "old_id": "09c013e7e222b90d0415d7d13c326a1410116f72", "old_mode": 33188, "old_path": "ssl/tls13_client.c", "new_id": "ee73f73df85ca2fb29803015ce6fa6a31040dfdc", "new_mode": 33188, "new_path": "ssl/tls13_client.c" } ] }