kaduk

Yeah, bidi shutdown has never really been reliable unless you control both endpoints, which is clearly not going to be the case for a generic library like yours.

I don't expect either the `OPENSSL_VERSION_NUMBER` check or avoiding `SSL_OP_CIPHER_SERVER_PREFERENCE` to make a difference.

> > EVP_DigestSign would be acceptable, but has only been added in 3.0 and is thus not yet widely used. > > EVP_DigestSignInit/Update/Final have been available for a long time...

Can you confirm that you are cleanly `SSL_shutdown()`ing the connections between resumption attempts? In some situations an unclean connection shutdown will cause the session object to be invalidated (though I...

The linked gnutls functions seem to implement part of the functionality that would be needed to transfer a live TLS connection to another process, just handling the record-protection bits and...

> Actually, the underscore wouldn't be a problem. With mDNS, you browse for `_openscreen._udp.local` and that allows you to find `BigTV.local`, which you can then put in the SNI. Any...

@nhorman could you say a bit more about why closing for inactivity is the right thing to do when the PR appears to be waiting for OTC action rather than...

> @kaduk, are you fine with this getting marked post-3.0.0? Yes, I am willing to see this wait until after 3.0.0.

Indeed; note that the intended status of the linked internet-draft is only Experimental; it is not intended to be on the standards track. It will likely be changing more, and...

Such an API is rather attractive, yes. There are tradeoffs to it, though, as it inherently requires the implementation to have knowledge of the detailed structure of a (fixed) set...