Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29/12/2018 07:42, carabiankyi wrote:
Thanks for your advice.
I get early data when I configure nginx ssl_early_data on.
But I only get early data for get method.
When using post method, the server terminate connection. Is it related with openssl? If so, how can I do to allow post method?


TLSv1.x and SSL do not know or care what the HTTP commands are.

It is probably nginx enforcing a security rule that 0-rtt data should not
contain any potentially sensitive information, such as POST data.

0-rtt may be a reasonable way to more quickly transfer the URLs in the many
GET requests for static web content such as images, javascript, video segments
and user independent web pages.  But it is too risky when handling requests
for user specific or password protected content, because the 0-rtt would
then be readable by an attacker even if the certificate check fails a few
packets after the 0-rtt and associated decryption keys were already sent.



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>
Date: 29/12/2018 12:46 a.m. (GMT+06:30)
To: openssl-users@xxxxxxxxxxx
Subject: Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of ???????? ????
> Sent: Friday, December 28, 2018 00:25

> I have an nginx web server compiled with openssl that support TLS 1.3.

What version of OpenSSL? Is it 1.1.1? The final version or an early release? Or 1.1.0, and if so, which letter release?

> But when I test with firefox Nightly browser, it does not send early data together with
> client hello packet.

This sounds like an nginx or Firefox question. I haven't experimented with 0-RTT, which I think was a bad idea in TLSv1.3 and have no interest in enabling in my applications; but as I understand it, you have to set some options in the SSL structure (or the SSL_CTX you use to create it) in order to enable 0-RTT. That means nginx will have to make the necessary OpenSSL API calls. It may not have support for that yet, or in whatever version of nginx you're running.

It's also possible that there's some issue with the Firefox build you're running and its 0-RTT support. My suspicion though is that nginx is not enabling 0-RTT in nginx.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux