-
Daiki Ueno authored
Previously, the client was sending early data after receiving a Server Hello message, which not only negates the benefit of 0-RTT, but also was a logic error as it can only be decrypted by the server when the initial handshake and the resuming handshake agree on the same ciphersuites. This fixes that behavior in the following ways: - extend the session data format to include the selected ciphersuites, even in TLS 1.3 - setup the epoch for early data, right before the client sending early data (also right after the server deciding to accept early data). - extend the test case to use different ciphersuites in the initial and resuming handshakes Signed-off-by: Daiki Ueno <ueno@gnu.org>
0e1f1f05