Welcome! Log In Create A New Profile

Advanced

Re: OpenSSL and Early data

Sergey Kandaurov
December 06, 2018 10:14AM
> On 6 Dec 2018, at 02:39, Honza Prachař <jan.prachar@gmail.com> wrote:
>
> Hello! FYI there is an issue with TLS 1.3 Early data in OpenSSL –
> https://github.com/openssl/openssl/issues/7757
>
> So maybe you would want to consider ignoring Early data with HTTP/2 and OpenSSL. Or try to fix the problem on the nginx side, i.e. do not call SSL_read_early_data() until all pending data is written with SSL_write_early_data().

Hello.

This is not strictly related to HTTP/2.
I could reproduce it with s_client -early_data over HTTP/1.1,
where 1st request is sent in 0-RTT, and 2nd - after handshake.

This quick workaround helped me. The idea is that we block reading
if SSL_write_early_data returned SSL_ERROR_WANT_WRITE, until one of
the next SSL_write_early_data will succeed. In practice, we won't
read until there's also no more data to send. For static content,
that means that we will continue to read only after the whole file
was sent. This doesn't look perfect but seems to work.

diff -r 2117637f64e9 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Nov 27 17:40:21 2018 +0300
+++ b/src/event/ngx_event_openssl.c Thu Dec 06 14:51:18 2018 +0000
@@ -2352,6 +2352,7 @@

if (sslerr == SSL_ERROR_WANT_WRITE) {

+#if 0
if (c->ssl->saved_read_handler) {

c->read->handler = c->ssl->saved_read_handler;
@@ -2364,6 +2365,11 @@

ngx_post_event(c->read, &ngx_posted_events);
}
+#endif
+ if (c->ssl->saved_read_handler == NULL) {
+ c->ssl->saved_read_handler = c->read->handler;
+ c->read->handler = ngx_ssl_read_handler;
+ }

c->write->ready = 0;
return NGX_AGAIN;


--
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

OpenSSL and Early data

Honza Prachař 149 December 05, 2018 06:40PM

Re: OpenSSL and Early data

Sergey Kandaurov 61 December 06, 2018 10:14AM

Re: OpenSSL and Early data

Jan Prachař 57 December 06, 2018 11:22AM

Re: OpenSSL and Early data

Sergey Kandaurov 41 December 13, 2018 06:44PM

Re: OpenSSL and Early data

Jan Prachař 40 December 14, 2018 06:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 73
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready