How can I compile nginx with openssl to support 0-rtt TLS1.3

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How can I compile nginx with openssl to support 0-rtt TLS1.3

ၾကည္စိုး သင္း
Dear Sirs,

I have an nginx web server compiled with openssl that support TLS 1.3. But when I test with firefox Nightly browser, it does not send early data together with client hello packet. I test this test after waiting for about five minutes after accessing web server. I cannot find any source on internet about enabling 0-rtt in nginx with openssl. Please advise me.

Thanks,
Kyi Soe Thin

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of ???????? ????
> Sent: Friday, December 28, 2018 00:25

> I have an nginx web server compiled with openssl that support TLS 1.3.

What version of OpenSSL? Is it 1.1.1? The final version or an early release? Or 1.1.0, and if so, which letter release?

> But when I test with firefox Nightly browser, it does not send early data together with
> client hello packet.

This sounds like an nginx or Firefox question. I haven't experimented with 0-RTT, which I think was a bad idea in TLSv1.3 and have no interest in enabling in my applications; but as I understand it, you have to set some options in the SSL structure (or the SSL_CTX you use to create it) in order to enable 0-RTT. That means nginx will have to make the necessary OpenSSL API calls. It may not have support for that yet, or in whatever version of nginx you're running.

It's also possible that there's some issue with the Firefox build you're running and its 0-RTT support. My suspicion though is that nginx is not enabling 0-RTT in nginx.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

ၾကည္စိုး သင္း
Thanks for your advice.
I get early data when I configure nginx ssl_early_data on.
But I only get early data for get method.
When using post method, the server terminate connection. Is it related with openssl? If so, how can I do to allow post method?




Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Michael Wojcik <[hidden email]>
Date: 29/12/2018 12:46 a.m. (GMT+06:30)
Subject: Re: [openssl-users] How can I compile nginx with openssl to support 0-rtt TLS1.3

> From: openssl-users [mailto:[hidden email]] On Behalf Of ???????? ????
> Sent: Friday, December 28, 2018 00:25

> I have an nginx web server compiled with openssl that support TLS 1.3.

What version of OpenSSL? Is it 1.1.1? The final version or an early release? Or 1.1.0, and if so, which letter release?

> But when I test with firefox Nightly browser, it does not send early data together with
> client hello packet.

This sounds like an nginx or Firefox question. I haven't experimented with 0-RTT, which I think was a bad idea in TLSv1.3 and have no interest in enabling in my applications; but as I understand it, you have to set some options in the SSL structure (or the SSL_CTX you use to create it) in order to enable 0-RTT. That means nginx will have to make the necessary OpenSSL API calls. It may not have support for that yet, or in whatever version of nginx you're running.

It's also possible that there's some issue with the Firefox build you're running and its 0-RTT support. My suspicion though is that nginx is not enabling 0-RTT in nginx.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

OpenSSL - User mailing list
On 29/12/2018 07:42, carabiankyi wrote:
> Thanks for your advice.
> I get early data when I configure nginx ssl_early_data on.
> But I only get early data for get method.
> When using post method, the server terminate connection. Is it related
> with openssl? If so, how can I do to allow post method?
>
>
TLSv1.x and SSL do not know or care what the HTTP commands are.

It is probably nginx enforcing a security rule that 0-rtt data should not
contain any potentially sensitive information, such as POST data.

0-rtt may be a reasonable way to more quickly transfer the URLs in the many
GET requests for static web content such as images, javascript, video
segments
and user independent web pages.  But it is too risky when handling requests
for user specific or password protected content, because the 0-rtt would
then be readable by an attacker even if the certificate check fails a few
packets after the 0-rtt and associated decryption keys were already sent.

>
>
> Sent from my Samsung Galaxy smartphone.
>
> -------- Original message --------
> From: Michael Wojcik <[hidden email]>
> Date: 29/12/2018 12:46 a.m. (GMT+06:30)
> To: [hidden email]
> Subject: Re: [openssl-users] How can I compile nginx with openssl to
> support 0-rtt TLS1.3
>
> > From: openssl-users [mailto:[hidden email]] On
> Behalf Of ???????? ????
> > Sent: Friday, December 28, 2018 00:25
>
> > I have an nginx web server compiled with openssl that support TLS 1.3.
>
> What version of OpenSSL? Is it 1.1.1? The final version or an early
> release? Or 1.1.0, and if so, which letter release?
>
> > But when I test with firefox Nightly browser, it does not send early
> data together with
> > client hello packet.
>
> This sounds like an nginx or Firefox question. I haven't experimented
> with 0-RTT, which I think was a bad idea in TLSv1.3 and have no
> interest in enabling in my applications; but as I understand it, you
> have to set some options in the SSL structure (or the SSL_CTX you use
> to create it) in order to enable 0-RTT. That means nginx will have to
> make the necessary OpenSSL API calls. It may not have support for that
> yet, or in whatever version of nginx you're running.
>
> It's also possible that there's some issue with the Firefox build
> you're running and its 0-RTT support. My suspicion though is that
> nginx is not enabling 0-RTT in nginx.
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How can I compile nginx with openssl to support 0-rtt TLS1.3

OpenSSL - User mailing list
In reply to this post by ၾကည္စိုး သင္း
  • But I only get early data for get method.
  • When using post method, the server terminate connection. Is it related with openssl? If so, how can I do to allow post method?

 

Early data can be replayed.  It is only safe to use early data when the request is idempotent, like GET.  You might find https://tools.ietf.org/html/rfc8470 useful reading.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users