> On 20 Jan 2016, at 16:55, Viktor Dukhovni <openssl-users at dukhovni.org> wrote: >> On Jan 20, 2016, at 9:27 AM, Sara Dickinson <sara at sinodun.com> wrote: >> >> I have TFO + TLS (using OpenSSL) working on OS X. However, because of the specifics of the TFO implementation on Linux, I can?t see how to get that working with OpenSSL. On Linux using TFO requires that >> - the connect() call is skipped entirely >> - the first data sent on the connection must be sent using the sendto() function passing in the MSG_FASTOPEN flag. This sendto() call takes care of both the TCP handshake, and sending the data as payload in the SYN. >> >> I may well be missing something, but I can?t see anyway to use this in combination with the OpenSSL API, because the SSL_connect()/SSL_do_handshake() functions rely on the underlying socket already being setup and ready to accept a 'write'. Does anyone know of a solution/workaround, or a plan to add support for client TFO to OpenSSL? > > Well, I am not shy to say that the Linux Kernel API for this is > poorly designed. However, we can perhaps work around this. Indeed. The OS X implementation is nicer since a connectx() call with the correct flags sets the socket up as needed and then the first write() call performs the TFO. > > This could be done via an enhancement of BIO_s_socket() > to support completing the connection on the first write. > Then you just configure the modified BIO as the network > BIO of the SSL handle. > > The construction of the BIO could be made transparent to > users of SSL_set_fd() via a suitable new control operation > that's passed through to the underlying BIO. > > SSL_set_fd(ssl, sock); > SSL_set_tfo_addr(ssl, struct sockaddr *sa, int salen); Yes, that sounds like it would do the job! > > (Or some variant of these types for Windows, ...) > > But of course the feature itself would not initially be > available on all platforms. As of today TFO isn?t implemented on Windows at all AFAIK and only server side support is currently implemented on FreeBSD. Regards Sara.
