Re: Using TCP Fast Open with OpenSSL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Sara Dickinson
Hi, 

I have recently been adding support for TLS using OpenSSL to a client application. When using TCP the application uses TCP Fast Open (TFO) as described in this RFC: https://tools.ietf.org/html/rfc7413. TFO is currently available for clients on both Linux and OS X, however the socket API changes for TFO are different on the 2 platforms.

I have TFO + TLS (using OpenSSL) working on OS X. However, because of the specifics of the TFO implementation on Linux, I can’t see how to get that working with OpenSSL. On Linux using TFO requires that
- the connect() call is skipped entirely
- the first data sent on the connection must be sent using the sendto() function passing in the MSG_FASTOPEN flag. This sendto() call takes care of both the TCP handshake, and sending the data as payload in the SYN. 

I may well be missing something, but I can’t see anyway to use this in combination with the OpenSSL API, because the SSL_connect()/SSL_do_handshake() functions rely on the underlying socket already being setup and ready to accept a 'write'. Does anyone know of a solution/workaround, or a plan to add support for client TFO to OpenSSL?

Regards

Sara. 


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Viktor Dukhovni

> On Jan 20, 2016, at 9:27 AM, Sara Dickinson <[hidden email]> wrote:
>
> I have TFO + TLS (using OpenSSL) working on OS X. However, because of the specifics of the TFO implementation on Linux, I can’t see how to get that working with OpenSSL. On Linux using TFO requires that
> - the connect() call is skipped entirely
> - the first data sent on the connection must be sent using the sendto() function passing in the MSG_FASTOPEN flag. This sendto() call takes care of both the TCP handshake, and sending the data as payload in the SYN.
>
> I may well be missing something, but I can’t see anyway to use this in combination with the OpenSSL API, because the SSL_connect()/SSL_do_handshake() functions rely on the underlying socket already being setup and ready to accept a 'write'. Does anyone know of a solution/workaround, or a plan to add support for client TFO to OpenSSL?

Well, I am not shy to say that the Linux Kernel API for this is
poorly designed.  However, we can perhaps work around this.

This could be done via an enhancement of BIO_s_socket()
to support completing the connection on the first write.
Then you just configure the modified BIO as the network
BIO of the SSL handle.

The construction of the BIO could be made transparent to
users of SSL_set_fd() via a suitable new control operation
that's passed through to the underlying BIO.

        SSL_set_fd(ssl, sock);
        SSL_set_tfo_addr(ssl, struct sockaddr *sa, int salen);

(Or some variant of these types for Windows, ...)

But of course the feature itself would not initially be
available on all platforms.

--
        Viktor.


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Nounou Dadoun
-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Wednesday, January 20, 2016 8:55 AM
To: [hidden email]
Subject: Re: [openssl-users] Using TCP Fast Open with OpenSSL


> On Jan 20, 2016, at 9:27 AM, Sara Dickinson <[hidden email]> wrote:
>
> I have TFO + TLS (using OpenSSL) working on OS X. However, because of
> the specifics of the TFO implementation on Linux, I can’t see how to
> get that working with OpenSSL. On Linux using TFO requires that
> - the connect() call is skipped entirely
> - the first data sent on the connection must be sent using the sendto() function passing in the MSG_FASTOPEN flag. This sendto() call takes care of both the TCP handshake, and sending the data as payload in the SYN.
>
> I may well be missing something, but I can’t see anyway to use this in combination with the OpenSSL API, because the SSL_connect()/SSL_do_handshake() functions rely on the underlying socket already being setup and ready to accept a 'write'. Does anyone know of a solution/workaround, or a plan to add support for client TFO to OpenSSL?

Well, I am not shy to say that the Linux Kernel API for this is poorly designed.  However, we can perhaps work around this.

This could be done via an enhancement of BIO_s_socket() to support completing the connection on the first write.
Then you just configure the modified BIO as the network BIO of the SSL handle.

The construction of the BIO could be made transparent to users of SSL_set_fd() via a suitable new control operation that's passed through to the underlying BIO.

        SSL_set_fd(ssl, sock);
        SSL_set_tfo_addr(ssl, struct sockaddr *sa, int salen);

(Or some variant of these types for Windows, ...)

But of course the feature itself would not initially be available on all platforms.

--
        Viktor.

----------------------------

But if the TFO data payload is in the first SYN how can it be encrypted (etc) even before the TCP handshake is complete (let alone the SSL handshake) unless the calls are unbundled and serialized somehow.

Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Viktor Dukhovni
On Wed, Jan 20, 2016 at 06:01:00PM +0000, Nounou Dadoun wrote:

> But if the TFO data payload is in the first SYN how can it be encrypted
> (etc) even before the TCP handshake is complete (let alone the SSL
> handshake) unless the calls are unbundled and serialized somehow.

The TCP first-flight data will be the TLS ClientHello message.  This
saves one round-trip on repeat visits:

    C: SYN + TFO-COOKIE + TLS ClientHello
    S: SYN-ACK
    S: ACK + TLS Server Hello ...
    ...

--
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Sara Dickinson
In reply to this post by Viktor Dukhovni

> On 20 Jan 2016, at 16:55, Viktor Dukhovni <[hidden email]> wrote:

>> On Jan 20, 2016, at 9:27 AM, Sara Dickinson <[hidden email]> wrote:
>>
>> I have TFO + TLS (using OpenSSL) working on OS X. However, because of the specifics of the TFO implementation on Linux, I can’t see how to get that working with OpenSSL. On Linux using TFO requires that
>> - the connect() call is skipped entirely
>> - the first data sent on the connection must be sent using the sendto() function passing in the MSG_FASTOPEN flag. This sendto() call takes care of both the TCP handshake, and sending the data as payload in the SYN.
>>
>> I may well be missing something, but I can’t see anyway to use this in combination with the OpenSSL API, because the SSL_connect()/SSL_do_handshake() functions rely on the underlying socket already being setup and ready to accept a 'write'. Does anyone know of a solution/workaround, or a plan to add support for client TFO to OpenSSL?
>
> Well, I am not shy to say that the Linux Kernel API for this is
> poorly designed.  However, we can perhaps work around this.

Indeed. The OS X implementation is nicer since a connectx() call with the correct flags sets the socket up as needed and then the first write() call performs the TFO.

>
> This could be done via an enhancement of BIO_s_socket()
> to support completing the connection on the first write.
> Then you just configure the modified BIO as the network
> BIO of the SSL handle.
>
> The construction of the BIO could be made transparent to
> users of SSL_set_fd() via a suitable new control operation
> that's passed through to the underlying BIO.
>
> SSL_set_fd(ssl, sock);
> SSL_set_tfo_addr(ssl, struct sockaddr *sa, int salen);

Yes, that sounds like it would do the job!

>
> (Or some variant of these types for Windows, ...)
>
> But of course the feature itself would not initially be
> available on all platforms.

As of today TFO isn’t implemented on Windows at all AFAIK and only server side support is currently implemented on FreeBSD.

Regards

Sara.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using TCP Fast Open with OpenSSL

Nounou Dadoun
In reply to this post by Viktor Dukhovni

The TCP first-flight data will be the TLS ClientHello message.  This saves one round-trip on repeat visits:

    C: SYN + TFO-COOKIE + TLS ClientHello
    S: SYN-ACK
    S: ACK + TLS Server Hello ...
    ...

--
        Viktor.

========
That makes sense, thanks ... N
Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users