Making use of the new TLS 1.3 PSK features?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Making use of the new TLS 1.3 PSK features?

Joshua Hutchins
Hi, I'm pretty new to openssl (sort of new to being a developer to be honest).
I am using libcurl to send pretty small HTTP requests every 5 or so minutes, using TLS. I'm trying to use some of the new features in TLS 1.3 to reduce the size of the handshake, as this is going to be going over mobile data and doing a full TLS handshake every 5 minutes accounts for about 60% of my total data usage.

Any advice for this? I've already built nghttp2, openssl, and libcurl from scratch so I have all the new features.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Making use of the new TLS 1.3 PSK features?

Hubert Kario
On Friday, 7 June 2019 19:20:07 CEST Joshua Hutchins wrote:

> Hi, I'm pretty new to openssl (sort of new to being a developer to be
> honest).
> I am using libcurl to send pretty small HTTP requests every 5 or so
> minutes, using TLS. I'm trying to use some of the new features in TLS 1.3
> to reduce the *size* of the handshake, as this is going to be going over
> mobile data and doing a full TLS handshake every 5 minutes accounts for
> about 60% of my total data usage.
>
> Any advice for this? I've already built nghttp2, openssl, and libcurl from
> scratch so I have all the new features.
performing session resumption should stop the server from sending the
certificate to the client – make sure that you preserve the session data and
use it for future connections

mismatch between the key shares sent by the client and what the server will
use will cause the connection to fallback to HelloRetryRequest mode, sending
just one key share will also reduce the size of the handshake – ensure the
enabled groups match the list and order of the list in server

ensuring the connection uses ECDSA will also reduce the size of initial
handshake and will cause the handshake to be smaller when the resumption is
rejected by server – that will require reconfiguring the server

disabling sending of padding extension should also reduce the size of
ClientHello message (at a potential cost of interoperability issues)

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment