On Mon 2016-01-25 13:51:11 -0500, Viktor Dukhovni wrote: > On Mon, Jan 25, 2016 at 06:42:02PM +0000, Kurt Roeckx via RT wrote: > >> On Mon, Jan 25, 2016 at 06:24:55PM +0000, Sara Dickinson via RT wrote: >> > I would like to request that support be added to OpenSSL to enable >> > client applications to make use use of TCP Fast Open >> > (https://tools.ietf.org/html/rfc7413 >> > <https://tools.ietf.org/html/rfc7413>) when initiating the TLS >> > handshake on Linux (TCP Fast Open is available in Linux kernel > >> > 4.1).
I think it was added even earlier to the Linux kernel: http://kernelnewbies.org/Linux_3.13#head-159ff61ea3acfd67b88855e75dbbb140f8825c4a >> I've seen that request, and I have tought about it. I'm just >> wondering if that comes with security consequences, like replay >> attacks. Specially in combination with what they're doing with >> TLS 1.3. >> >> The API clearly doesn't support anything like that currently. > > No security impact. Just a saving of 1-RTT on "warm" TCP reconnects. > > If the client's first flight payload also carries 0-RTT TLS 1.3 > data, the exposure is the same whether TCP fast open is used or > not. I agree with this cryptographic analysis, fwiw. if 0-RTT support is added to OpenSSL, then we definitely need a clear API adjustment so that applications can know whether their data is going out in the non-PFS/non-replay-protected preflights, or in the regularly-protected session. But i don't think this has any bearing on TFO. --dkg _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
