Making use of the new TLS 1.3 PSK features?

Hubert Kario hkario at redhat.com
Fri Jun 7 18:36:28 UTC 2019


On Friday, 7 June 2019 19:20:07 CEST Joshua Hutchins wrote:
> Hi, I'm pretty new to openssl (sort of new to being a developer to be
> honest).
> I am using libcurl to send pretty small HTTP requests every 5 or so
> minutes, using TLS. I'm trying to use some of the new features in TLS 1.3
> to reduce the *size* of the handshake, as this is going to be going over
> mobile data and doing a full TLS handshake every 5 minutes accounts for
> about 60% of my total data usage.
> 
> Any advice for this? I've already built nghttp2, openssl, and libcurl from
> scratch so I have all the new features.

performing session resumption should stop the server from sending the 
certificate to the client – make sure that you preserve the session data and 
use it for future connections

mismatch between the key shares sent by the client and what the server will 
use will cause the connection to fallback to HelloRetryRequest mode, sending 
just one key share will also reduce the size of the handshake – ensure the 
enabled groups match the list and order of the list in server

ensuring the connection uses ECDSA will also reduce the size of initial 
handshake and will cause the handshake to be smaller when the resumption is 
rejected by server – that will require reconfiguring the server

disabling sending of padding extension should also reduce the size of 
ClientHello message (at a potential cost of interoperability issues)

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/944067b4/attachment.sig>


More information about the openssl-users mailing list