See Figure 2,
"[[OPEN ISSUE: Do we restart the handshake hash?]]
[[OPEN ISSUE: We need to make sure that this flow doesn't introduce
downgrade issues. Potential options include continuing the handshake
hashes (as long as clients don't change their opinion of the server's
capabilities with aborted handshakes) and requiring the client to send
the same ClientHello (as is currently done) and then checking you get
the same negotiated parameters.]]"
Re-starting the hashes is conceptually cleaner, but needs security
analysis.
See Figure 2,
"[[OPEN ISSUE: Do we restart the handshake hash?]]
[[OPEN ISSUE: We need to make sure that this flow doesn't introduce
downgrade issues. Potential options include continuing the handshake
hashes (as long as clients don't change their opinion of the server's
capabilities with aborted handshakes) and requiring the client to send
the same ClientHello (as is currently done) and then checking you get
the same negotiated parameters.]]"
Re-starting the hashes is conceptually cleaner, but needs security
analysis.