[openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jan 25 19:32:14 UTC 2016
On Mon 2016-01-25 13:51:11 -0500, Viktor Dukhovni wrote:
> On Mon, Jan 25, 2016 at 06:42:02PM +0000, Kurt Roeckx via RT wrote:
>
>> On Mon, Jan 25, 2016 at 06:24:55PM +0000, Sara Dickinson via RT wrote:
>> > I would like to request that support be added to OpenSSL to enable
>> > client applications to make use use of TCP Fast Open
>> > (https://tools.ietf.org/html/rfc7413
>> > <https://tools.ietf.org/html/rfc7413>) when initiating the TLS
>> > handshake on Linux (TCP Fast Open is available in Linux kernel >
>> > 4.1).
I think it was added even earlier to the Linux kernel:
http://kernelnewbies.org/Linux_3.13#head-159ff61ea3acfd67b88855e75dbbb140f8825c4a
>> I've seen that request, and I have tought about it. I'm just
>> wondering if that comes with security consequences, like replay
>> attacks. Specially in combination with what they're doing with
>> TLS 1.3.
>>
>> The API clearly doesn't support anything like that currently.
>
> No security impact. Just a saving of 1-RTT on "warm" TCP reconnects.
>
> If the client's first flight payload also carries 0-RTT TLS 1.3
> data, the exposure is the same whether TCP fast open is used or
> not.
I agree with this cryptographic analysis, fwiw.
if 0-RTT support is added to OpenSSL, then we definitely need a clear
API adjustment so that applications can know whether their data is going
out in the non-PFS/non-replay-protected preflights, or in the
regularly-protected session. But i don't think this has any bearing on
TFO.
--dkg
More information about the openssl-dev
mailing list