Patrick McManus

The only NSS usage of "raw chacha20" as required by the tls spec seems to be embedded in the chacha20poly1305 code - which hardcodes counters.. the tls-quic spec requires passing...

server may not send > 3 packets without validation

1

Servers MUST NOT send more than three Handshake packets without validation Servers MUST NOT send more than three Handshake packets without receiving a packet from a verified source address. Source...

address validation is required upon resumption, but particularly 0rtt SSL_SendSessionTicket looks like it can do add a token to the NST for this purpose.

when sending 0rtt we need to honor initial_max_data from transport parameters of the session being resumed.. so we need to index the resumption tickets against the params. SSL_SetResumptionTokenCallback() et all

NEW_STREAM_DATA is only edge triggered

1

Some kind of level triggered mode would help callers do the right thing.

right now the library only allows manual xon/xoff signals to control flow control (and even there, its global). A mode that applied backpressure based on how much data was buffered...