-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable SSL_MODE_ENABLE_FALSE_START if jdkCompatibilityMode is false #10407
Conversation
This depends on netty/netty-tcnative#558 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Curious here. Since this PR depends on another, would you be interested by a github app that prevents a PR from being merged until its dependency is itself merged ? cc @normanmaurer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually. False Start isn't safe unless you are using a modern cipher suite, as otherwise a MitM could downgrade to a weaker cipher for an attack. Does that mean we want it to be more opt-in?
@ejona86 as far as I am aware BoringSSL will only enable it if safe... Conscrypt enables it by default it seems. |
tl;dr: Yeah, you can freely enable it, provided your code is okay with the funny I/O patterns it causes. False Start bypasses TLS 1.2's downgrade protection so it indeed should only be used with the most preferred cipher suites. BoringSSL requires ECDHE + AEAD internally, which are the strongest parameters for TLS 1.2. Then there's TLS 1.3, but that's why TLS 1.3 injects a ServerHello.random signal into TLS 1.2. BoringSSL sends and enforces that signal by default. We do have an option to disable this check (it was needed early on due to non-compliant enterprise proxies, but we're in the process of phasing that out), but even when disabled, we still gate False Start on that signal. We additionally, by default, require ALPN with False Start. This isn't needed for security, just an old compatibility hack. Since the cipher suite requirements have since increased, it's possible we can remove it now. But servers ought to move to TLS 1.3 anyway. |
@davidben thanks for verify... we may also disable the ALPN requirement I guess... Does this sound ok to you ? |
No problems security-wise. |
@davidben thanks for the input... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, right. Boringssl requires better ciphers. It is good to be boring.
I will pull this one in once we had a netty-tcnative release which includes the needed change |
Motivation: To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported Modifications: Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false Result: Less RTTs and so lower latency when TLS False Start is supported
dae7b9b
to
f817605
Compare
Let me merge this as we have support for it now in netty-tcnative :) |
…10407) Motivation: To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported Modifications: Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false Result: Less RTTs and so lower latency when TLS False Start is supported
… false (#10407)" Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (#10407)" (#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (#10407)" (#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
… false (netty#10407)" (netty#10980) Motivation: TLS_FALSE_START slightly changes the "flow" during handshake which may cause suprises for the end-user. We should better disable it by default again and later add a way to enable it for the user. Modification: This reverts commit 514d349. Result: Restore "old flow" during TLS handshakes.
Motivation:
To reduce latency and RTTs we should use TLS False Start when jdkCompatibilityMode is not required and its supported
Modifications:
Use SSL_MODE_ENABLE_FALSE_START when jdkCompatibilityMode is false
Result:
Less RTTs and so lower latency when TLS False Start is supported