[openssl-users] How can I compile nginx with openssl to support 0-rtt TLS1.3

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of ???????? ????
> Sent: Friday, December 28, 2018 00:25

> I have an nginx web server compiled with openssl that support TLS 1.3.

What version of OpenSSL? Is it 1.1.1? The final version or an early release? Or 1.1.0, and if so, which letter release?

> But when I test with firefox Nightly browser, it does not send early data together with
> client hello packet.

This sounds like an nginx or Firefox question. I haven't experimented with 0-RTT, which I think was a bad idea in TLSv1.3 and have no interest in enabling in my applications; but as I understand it, you have to set some options in the SSL structure (or the SSL_CTX you use to create it) in order to enable 0-RTT. That means nginx will have to make the necessary OpenSSL API calls. It may not have support for that yet, or in whatever version of nginx you're running.

It's also possible that there's some issue with the Firefox build you're running and its 0-RTT support. My suspicion though is that nginx is not enabling 0-RTT in nginx.

--
Michael Wojcik
Distinguished Engineer, Micro Focus