Making use of the new TLS 1.3 PSK features?
Hubert Kario
hkario at redhat.com
Fri Jun 7 18:36:28 UTC 2019
On Friday, 7 June 2019 19:20:07 CEST Joshua Hutchins wrote:
> Hi, I'm pretty new to openssl (sort of new to being a developer to be
> honest).
> I am using libcurl to send pretty small HTTP requests every 5 or so
> minutes, using TLS. I'm trying to use some of the new features in TLS 1.3
> to reduce the *size* of the handshake, as this is going to be going over
> mobile data and doing a full TLS handshake every 5 minutes accounts for
> about 60% of my total data usage.
>
> Any advice for this? I've already built nghttp2, openssl, and libcurl from
> scratch so I have all the new features.
performing session resumption should stop the server from sending the
certificate to the client – make sure that you preserve the session data and
use it for future connections
mismatch between the key shares sent by the client and what the server will
use will cause the connection to fallback to HelloRetryRequest mode, sending
just one key share will also reduce the size of the handshake – ensure the
enabled groups match the list and order of the list in server
ensuring the connection uses ECDSA will also reduce the size of initial
handshake and will cause the handshake to be smaller when the resumption is
rejected by server – that will require reconfiguring the server
disabling sending of padding extension should also reduce the size of
ClientHello message (at a potential cost of interoperability issues)
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/944067b4/attachment.sig>
More information about the openssl-users
mailing list