[openssl-commits] [openssl] master update

kaduk at mit.edu kaduk at mit.edu
Thu Mar 1 04:08:18 UTC 2018

The branch master has been updated
       via  c39e4048b538ec76313c264e860cfb5cd677a9ac (commit)
      from  d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b (commit)

- Log -----------------------------------------------------------------
commit c39e4048b538ec76313c264e860cfb5cd677a9ac
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Feb 28 14:49:59 2018 -0600

    Do not set a nonzero default max_early_data
    When early data support was first added, this seemed like a good
    idea, as it would allow applications to just add SSL_read_early_data()
    calls as needed and have things "Just Work".  However, for applications
    that do not use TLS 1.3 early data, there is a negative side effect.
    Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
    derived from it) means that when generating a session ticket,
    tls_construct_stoc_early_data() will indicate to the client that
    the server supports early data.  This is true, in that the implementation
    of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
    necessarily indicate that the server application supports early data,
    when the default value is nonzero.  In this case a well-intentioned
    client would send early data along with its resumption attempt, which
    would then be ignored by the server application, a waste of network
    Since, in order to successfully use TLS 1.3 early data, the application
    must introduce calls to SSL_read_early_data(), it is not much additional
    burden to require that the application also calls
    SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
    so closes this scenario where early data packets would be sent on
    the wire but ignored.
    Update SSL_read_early_data.pod accordingly, and make s_server and
    our test programs into applications that are compliant with the new
    requirements on applications that use early data.
    Fixes #4725
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5483)


Summary of changes:
 apps/s_server.c                  |  2 ++
 doc/man3/SSL_read_early_data.pod | 12 +++++++++---
 ssl/ssl_lib.c                    | 18 +++++++++++++++---
 test/sslapitest.c                |  6 +++++-
 test/tls13ccstest.c              |  6 +++++-
 5 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index c772069..ff9ee5a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1570,6 +1570,8 @@ int s_server_main(int argc, char *argv[])
         case OPT_EARLY_DATA:
             early_data = 1;
+            if (max_early_data == -1)
+                max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod
index d916756..a420e73 100644
--- a/doc/man3/SSL_read_early_data.pod
+++ b/doc/man3/SSL_read_early_data.pod
@@ -101,7 +101,9 @@ was rejected or SSL_EARLY_DATA_NOT_SENT if no early data was sent. This function
 may be called by either the client or the server.
 A server uses the SSL_read_early_data() function to receive early data on a
-connection. As for SSL_write_early_data() this must be the first IO function
+connection for which early data has been enabled using
+SSL_CTX_set_max_early_data() or SSL_set_max_early_data(). As for
+SSL_write_early_data(), this must be the first IO function
 called on a connection, i.e. it must occur before any calls to
 L<SSL_write_ex(3)>, L<SSL_read_ex(3)>, L<SSL_accept(3)>, L<SSL_do_handshake(3)>,
 or other similar functions.
@@ -165,12 +167,16 @@ further action taken.
 When a session is created between a server and a client the server will specify
 the maximum amount of any early data that it will accept on any future
-connection attempt. By default this is approximately 16k. A server may override
-this default value by calling SSL_CTX_set_max_early_data() or
+connection attempt. By default the server does not accept early data; a
+server may indicate support for early data by calling
+SSL_CTX_set_max_early_data() or
 SSL_set_max_early_data() to set it for the whole SSL_CTX or an individual SSL
 object respectively. Similarly the SSL_CTX_get_max_early_data() and
 SSL_get_max_early_data() functions can be used to obtain the current maximum
 early data settings for the SSL_CTX and SSL objects respectively.
+Generally a server application will either use both of SSL_read_early_data()
+and SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither
+of them, since there is no practical benefit from using only one of them.
 In the event that the current maximum early data setting for the server is
 different to that originally specified in a session that a client is resuming
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 59b507e..8804c52 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3002,10 +3002,22 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
-     * Default max early data is a fully loaded single record. Could be split
-     * across multiple records in practice
+     * We cannot usefully set a default max_early_data here (which gets
+     * propagated in SSL_new(), for the following reason: setting the
+     * SSL field causes tls_construct_stoc_early_data() to tell the
+     * client that early data will be accepted when constructing a TLS 1.3
+     * session ticket, and the client will accordingly send us early data
+     * when using that ticket (if the client has early data to send).
+     * However, in order for the early data to actually be consumed by
+     * the application, the application must also have calls to
+     * SSL_read_early_data(); otherwise we'll just skip past the early data
+     * and ignore it.  So, since the application must add calls to
+     * SSL_read_early_data(), we also require them to add
+     * calls to SSL_CTX_set_max_early_data() in order to use early data,
+     * eliminating the bandwidth-wasting early data in the case described
+     * above.
-    ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
+    ret->max_early_data = 0;
     return ret;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 6480885..ce24fad 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1492,7 +1492,11 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
     if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
                                        TLS_client_method(), sctx,
-                                       cctx, cert, privkey)))
+                                       cctx, cert, privkey))
+        || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
+                                                 SSL3_RT_MAX_PLAIN_LENGTH))
+        || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
+                                                 SSL3_RT_MAX_PLAIN_LENGTH)))
         return 0;
     if (idx == 1) {
diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c
index c95010f..afea0ea 100644
--- a/test/tls13ccstest.c
+++ b/test/tls13ccstest.c
@@ -255,7 +255,11 @@ static int test_tls13ccs(int tst)
     chsessidlen = 0;
     if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
-                                       &sctx, &cctx, cert, privkey)))
+                                       &sctx, &cctx, cert, privkey))
+        || !TEST_true(SSL_CTX_set_max_early_data(sctx,
+                                                 SSL3_RT_MAX_PLAIN_LENGTH))
+        || !TEST_true(SSL_CTX_set_max_early_data(cctx,
+                                                 SSL3_RT_MAX_PLAIN_LENGTH)))
         goto err;

More information about the openssl-commits mailing list