Welcome! Log In Create A New Profile

Advanced

Re: OpenSSL and Early data

Jan Prachař
December 06, 2018 11:22AM
On Thu, 2018-12-06 at 18:13 +0300, Sergey Kandaurov wrote:
> > On 6 Dec 2018, at 02:39, Honza Prachař <jan.prachar@gmail.com>
> > wrote:
> >
> > Hello! FYI there is an issue with TLS 1.3 Early data in OpenSSL –
> > https://github.com/openssl/openssl/issues/7757
> >
> > So maybe you would want to consider ignoring Early data with HTTP/2
> > and OpenSSL. Or try to fix the problem on the nginx side, i.e. do
> > not call SSL_read_early_data() until all pending data is written
> > with SSL_write_early_data().
>
> Hello.
>
> This is not strictly related to HTTP/2.
> I could reproduce it with s_client -early_data over HTTP/1.1,
> where 1st request is sent in 0-RTT, and 2nd - after handshake.
>
> This quick workaround helped me. The idea is that we block reading
> if SSL_write_early_data returned SSL_ERROR_WANT_WRITE, until one of
> the next SSL_write_early_data will succeed. In practice, we won't
> read until there's also no more data to send. For static content,
> that means that we will continue to read only after the whole file
> was sent. This doesn't look perfect but seems to work.

This patch works for me too. SSL_read_early_data waits until all
requested files are sent. Then the handshake is finished.

I am afraid there isn't better solution until OpenSSL changes things
internally. You could wait with writing aplication data until End of
early data record arrives, but this would increase initial RTT.

>
> diff -r 2117637f64e9 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Tue Nov 27 17:40:21 2018
> +0300
> +++ b/src/event/ngx_event_openssl.c Thu Dec 06 14:51:18 2018
> +0000
> @@ -2352,6 +2352,7 @@
>
> if (sslerr == SSL_ERROR_WANT_WRITE) {
>
> +#if 0
> if (c->ssl->saved_read_handler) {
>
> c->read->handler = c->ssl->saved_read_handler;
> @@ -2364,6 +2365,11 @@
>
> ngx_post_event(c->read, &ngx_posted_events);
> }
> +#endif
> + if (c->ssl->saved_read_handler == NULL) {
> + c->ssl->saved_read_handler = c->read->handler;
> + c->read->handler = ngx_ssl_read_handler;
> + }
>
> c->write->ready = 0;
> return NGX_AGAIN;
>
>

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

OpenSSL and Early data

Honza Prachař 57 December 05, 2018 06:40PM

Re: OpenSSL and Early data

Sergey Kandaurov 15 December 06, 2018 10:14AM

Re: OpenSSL and Early data

Jan Prachař 15 December 06, 2018 11:22AM

Re: OpenSSL and Early data

Sergey Kandaurov 7 December 13, 2018 06:44PM

Re: OpenSSL and Early data

Jan Prachař 5 December 14, 2018 06:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 92
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready