Enable SSL_MODE_ENABLE_FALSE_START if jdkCompatibilityMode is false #10407
Conversation
|
This depends on netty/netty-tcnative#558 |
normanmaurer
requested review from
carl-mastrangelo,
chrisvest,
ejona86 and
idelpivnitskiy
|
Curious here. Since this PR depends on another, would you be interested by a github app that prevents a PR from being merged until its dependency is itself merged ? cc @normanmaurer |
|
@ejona86 as far as I am aware BoringSSL will only enable it if safe... Conscrypt enables it by default it seems. |
|
tl;dr: Yeah, you can freely enable it, provided your code is okay with the funny I/O patterns it causes. False Start bypasses TLS 1.2's downgrade protection so it indeed should only be used with the most preferred cipher suites. BoringSSL requires ECDHE + AEAD internally, which are the strongest parameters for TLS 1.2. Then there's TLS 1.3, but that's why TLS 1.3 injects a ServerHello.random signal into TLS 1.2. BoringSSL sends and enforces that signal by default. We do have an option to disable this check (it was needed early on due to non-compliant enterprise proxies, but we're in the process of phasing that out), but even when disabled, we still gate False Start on that signal. We additionally, by default, require ALPN with False Start. This isn't needed for security, just an old compatibility hack. Since the cipher suite requirements have since increased, it's possible we can remove it now. But servers ought to move to TLS 1.3 anyway. |
|
@davidben thanks for verify... we may also disable the ALPN requirement I guess... Does this sound ok to you ? |
|
No problems security-wise. |
|
@davidben thanks for the input... |
|
I will pull this one in once we had a netty-tcnative release which includes the needed change |
Motivation: To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported Modifications: Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false Result: Less RTTs and so lower latency when TLS False Start is supported
normanmaurer
force-pushed
the
tls_false_start
branch
from
dae7b9b
to
f817605
Compare
|
Let me merge this as we have support for it now in netty-tcnative :) |
…10407) Motivation: To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported Modifications: Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false Result: Less RTTs and so lower latency when TLS False Start is supported
… false (#10407)" Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (#10407)" (#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (#10407)" (#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (netty#10407)" (netty#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
Motivation:
To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported
Modifications:
Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false
Result:
Less RTTs and so lower latency when TLS False Start is supported