diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2018-02-28 14:49:59 -0600 |
|---|---|---|
| committer | Benjamin Kaduk <kaduk@mit.edu> | 2018-02-28 21:47:09 -0600 |
| commit | c39e4048b538ec76313c264e860cfb5cd677a9ac (patch) | |
| tree | 015f67d475a23ee0ec42c4fa8f18c37171bf65dd /ssl/ssl_lib.c | |
| parent | d91f45688c2d0bfcc5b3b57fb20cc80b010eef0b (diff) | |
Do not set a nonzero default max_early_data
When early data support was first added, this seemed like a good
idea, as it would allow applications to just add SSL_read_early_data()
calls as needed and have things "Just Work". However, for applications
that do not use TLS 1.3 early data, there is a negative side effect.
Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
derived from it) means that when generating a session ticket,
tls_construct_stoc_early_data() will indicate to the client that
the server supports early data. This is true, in that the implementation
of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
necessarily indicate that the server application supports early data,
when the default value is nonzero. In this case a well-intentioned
client would send early data along with its resumption attempt, which
would then be ignored by the server application, a waste of network
bandwidth.
Since, in order to successfully use TLS 1.3 early data, the application
must introduce calls to SSL_read_early_data(), it is not much additional
burden to require that the application also calls
SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
so closes this scenario where early data packets would be sent on
the wire but ignored.
Update SSL_read_early_data.pod accordingly, and make s_server and
our test programs into applications that are compliant with the new
requirements on applications that use early data.
Fixes #4725
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5483)
Diffstat (limited to 'ssl/ssl_lib.c')
| -rw-r--r-- | ssl/ssl_lib.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 59b507e788..8804c52e78 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3002,10 +3002,22 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; /* - * Default max early data is a fully loaded single record. Could be split - * across multiple records in practice + * We cannot usefully set a default max_early_data here (which gets + * propagated in SSL_new(), for the following reason: setting the + * SSL field causes tls_construct_stoc_early_data() to tell the + * client that early data will be accepted when constructing a TLS 1.3 + * session ticket, and the client will accordingly send us early data + * when using that ticket (if the client has early data to send). + * However, in order for the early data to actually be consumed by + * the application, the application must also have calls to + * SSL_read_early_data(); otherwise we'll just skip past the early data + * and ignore it. So, since the application must add calls to + * SSL_read_early_data(), we also require them to add + * calls to SSL_CTX_set_max_early_data() in order to use early data, + * eliminating the bandwidth-wasting early data in the case described + * above. */ - ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + ret->max_early_data = 0; return ret; err: |