On 29/12/2018 07:42, carabiankyi wrote:
Thanks for your advice.
I get early data when I configure nginx ssl_early_data on.
But I only get early data for get method.
When using post method, the server terminate connection. Is it related
with openssl? If so, how can I do to allow post method?
TLSv1.x and SSL do not know or care what the HTTP commands are.
It is probably nginx enforcing a security rule that 0-rtt data should not
contain any potentially sensitive information, such as POST data.
0-rtt may be a reasonable way to more quickly transfer the URLs in the many
GET requests for static web content such as images, javascript, video
segments
and user independent web pages. But it is too risky when handling requests
for user specific or password protected content, because the 0-rtt would
then be readable by an attacker even if the certificate check fails a few
packets after the 0-rtt and associated decryption keys were already sent.
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>
Date: 29/12/2018 12:46 a.m. (GMT+06:30)
To: openssl-users@xxxxxxxxxxx
Subject: Re: How can I compile nginx with openssl to
support 0-rtt TLS1.3
> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On
Behalf Of ???????? ????
> Sent: Friday, December 28, 2018 00:25
> I have an nginx web server compiled with openssl that support TLS 1.3.
What version of OpenSSL? Is it 1.1.1? The final version or an early
release? Or 1.1.0, and if so, which letter release?
> But when I test with firefox Nightly browser, it does not send early
data together with
> client hello packet.
This sounds like an nginx or Firefox question. I haven't experimented
with 0-RTT, which I think was a bad idea in TLSv1.3 and have no
interest in enabling in my applications; but as I understand it, you
have to set some options in the SSL structure (or the SSL_CTX you use
to create it) in order to enable 0-RTT. That means nginx will have to
make the necessary OpenSSL API calls. It may not have support for that
yet, or in whatever version of nginx you're running.
It's also possible that there's some issue with the Firefox build
you're running and its 0-RTT support. My suspicion though is that
nginx is not enabling 0-RTT in nginx.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
