Full plan: RESUMPTION_SCOPE.md.
Goal (performance): skip the per-connection TLS cost that dominates page load on a G3 — the ECDHE key exchange (P-384 especially) and the RSA/ECDSA certificate-chain verify — by resuming with a ticket the server already gave us. Only purely-speed item on the macTLS roadmap.
The bet: psk_dhe_ke only (fresh ECDHE alongside PSK, keeps forward secrecy); 1-RTT only, no 0-RTT/early_data in v1; one ticket per host cached in RAM (no disk persistence yet); SHA-256 suites first (PSK is hash-bound); full-handshake fallback always.
What 1.3 already gives us: Early→Handshake→Master key schedule, HKDF-Expand-Label + transcript machinery, host[] + lazy hs13 on the connection. Missing: resumption_master_secret derivation, and NewSessionTicket is currently discarded.
Stages (hardware-gated, like the 1.3 work):
- A — derive resumption secret (
res master → resumption PSK); host-test vs openssl.
- B — parse NewSessionTicket + RAM cache keyed by host (lifetime/age_add/nonce/suite).
- C — resumption ClientHello:
psk_key_exchange_modes + pre_shared_key + binder (HMAC over the binder-less transcript — the fiddly part); host-test the binder vs openssl.
- D — resumed key schedule (Early Secret from PSK) + ServerHello accept (skip cert) / reject (full fallback); host-verify both branches.
- E — wire cache into the async layer (populate on ticket, consult on Start); host-verify a real resume.
- F — G3 hardware gate: time full vs resumed to a real ticketing server; accept when resumed completes, app-data flows, and it's measurably faster.
Reference: RFC 8446 §2.2/§4.2.11/§4.2.9/§4.6.1/§7.1; Certainly's resumption path.
Full plan:
RESUMPTION_SCOPE.md.Goal (performance): skip the per-connection TLS cost that dominates page load on a G3 — the ECDHE key exchange (P-384 especially) and the RSA/ECDSA certificate-chain verify — by resuming with a ticket the server already gave us. Only purely-speed item on the macTLS roadmap.
The bet:
psk_dhe_keonly (fresh ECDHE alongside PSK, keeps forward secrecy); 1-RTT only, no 0-RTT/early_data in v1; one ticket per host cached in RAM (no disk persistence yet); SHA-256 suites first (PSK is hash-bound); full-handshake fallback always.What 1.3 already gives us: Early→Handshake→Master key schedule, HKDF-Expand-Label + transcript machinery,
host[]+ lazyhs13on the connection. Missing: resumption_master_secret derivation, andNewSessionTicketis currently discarded.Stages (hardware-gated, like the 1.3 work):
res master→resumptionPSK); host-test vs openssl.psk_key_exchange_modes+pre_shared_key+ binder (HMAC over the binder-less transcript — the fiddly part); host-test the binder vs openssl.Reference: RFC 8446 §2.2/§4.2.11/§4.2.9/§4.6.1/§7.1; Certainly's resumption path.