[openssl-users] How can I compile nginx with openssl to support 0-rtt TLS1.3

Jakob Bohm jb-openssl at wisemo.com
Sat Dec 29 10:05:28 UTC 2018

On 29/12/2018 07:42, carabiankyi wrote:
> Thanks for your advice.
> I get early data when I configure nginx ssl_early_data on.
> But I only get early data for get method.
> When using post method, the server terminate connection. Is it related 
> with openssl? If so, how can I do to allow post method?
TLSv1.x and SSL do not know or care what the HTTP commands are.

It is probably nginx enforcing a security rule that 0-rtt data should not
contain any potentially sensitive information, such as POST data.

0-rtt may be a reasonable way to more quickly transfer the URLs in the many
GET requests for static web content such as images, javascript, video 
and user independent web pages.  But it is too risky when handling requests
for user specific or password protected content, because the 0-rtt would
then be readable by an attacker even if the certificate check fails a few
packets after the 0-rtt and associated decryption keys were already sent.

> Sent from my Samsung Galaxy smartphone.
> -------- Original message --------
> From: Michael Wojcik <Michael.Wojcik at microfocus.com>
> Date: 29/12/2018 12:46 a.m. (GMT+06:30)
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] How can I compile nginx with openssl to 
> support 0-rtt TLS1.3
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
> Behalf Of ???????? ????
> > Sent: Friday, December 28, 2018 00:25
> > I have an nginx web server compiled with openssl that support TLS 1.3.
> What version of OpenSSL? Is it 1.1.1? The final version or an early 
> release? Or 1.1.0, and if so, which letter release?
> > But when I test with firefox Nightly browser, it does not send early 
> data together with
> > client hello packet.
> This sounds like an nginx or Firefox question. I haven't experimented 
> with 0-RTT, which I think was a bad idea in TLSv1.3 and have no 
> interest in enabling in my applications; but as I understand it, you 
> have to set some options in the SSL structure (or the SSL_CTX you use 
> to create it) in order to enable 0-RTT. That means nginx will have to 
> make the necessary OpenSSL API calls. It may not have support for that 
> yet, or in whatever version of nginx you're running.
> It's also possible that there's some issue with the Firefox build 
> you're running and its 0-RTT support. My suspicion though is that 
> nginx is not enabling 0-RTT in nginx.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list