TLS false start support on Openssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS false start support on Openssl

Ritesh Rekhi-2

Hi All,

 

Does openssl support TLS false start   http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00  ?

 

If Openssl supports TLS false start how can I use it with s_client ?

 

Thanks

Ritesh

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS false start support on Openssl

Richard Könning
Am 06.10.2011 23:28, schrieb Ritesh Rekhi:
>
> Does openssl support TLS false start
> http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 ?

I cite the last section of this draft:

>    At the time of writing, the authors are not aware of any deployed TLS
>    implementation that is not False Start compatible (with one single
>    host still pending investigation).  However, if an implementation
>    uses a strategy of receiving as many bytes as available from the
>    underlying transport during the handshake (expecting to find only
>    handshake messages), achieving False Start compatibility would likely
>    require special care.

One of the authors being member of the OpenSSL team i think that he has
investigated the OpenSSL case.

> If Openssl supports TLS false start how can I use it with s_client ?

When there is not already an appropriate option (i didn't check), you
have to add corresponding code to s_client.

Ciao,
Richard
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: TLS false start support on Openssl

Ritesh Rekhi-2
Hi Richard,

Thanks for the reply, I did some research and found  that there is an openssl patch which can get me this option, I tried it in my lab and it works also.

Here is the location of patch

http://technotes.googlecode.com/git-history/3bea6d3d226c878577c0d520784e14f2c8efbe1c/openssl-1.0.0d-falsestart.patch

There is an option also in s_client to do so, here is an example

openssl s_client -connect 10.24.132.51:443 -cutthrough

Ritesh

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Richard Könning
Sent: Friday, October 07, 2011 7:44 AM
To: [hidden email]
Subject: Re: TLS false start support on Openssl

Am 06.10.2011 23:28, schrieb Ritesh Rekhi:
>
> Does openssl support TLS false start
> http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 ?

I cite the last section of this draft:

>    At the time of writing, the authors are not aware of any deployed TLS
>    implementation that is not False Start compatible (with one single
>    host still pending investigation).  However, if an implementation
>    uses a strategy of receiving as many bytes as available from the
>    underlying transport during the handshake (expecting to find only
>    handshake messages), achieving False Start compatibility would likely
>    require special care.

One of the authors being member of the OpenSSL team i think that he has
investigated the OpenSSL case.

> If Openssl supports TLS false start how can I use it with s_client ?

When there is not already an appropriate option (i didn't check), you
have to add corresponding code to s_client.

Ciao,
Richard
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: TLS false start support on Openssl

neetish
@Ritesh,

I am not able to find the patch for False Start which you posted . Afaik , false start is not implemented in Openssl. If you have it, could you please share. The google link that you shared is de-funct.

Thanks
Best Regards,
Neetish
Loading...