wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/doc
History
Benjamin Kaduk c39e4048b5 Do not set a nonzero default max_early_data 
When early data support was first added, this seemed like a good
idea, as it would allow applications to just add SSL_read_early_data()
calls as needed and have things "Just Work".  However, for applications
that do not use TLS 1.3 early data, there is a negative side effect.
Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
derived from it) means that when generating a session ticket,
tls_construct_stoc_early_data() will indicate to the client that
the server supports early data.  This is true, in that the implementation
of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
necessarily indicate that the server application supports early data,
when the default value is nonzero.  In this case a well-intentioned
client would send early data along with its resumption attempt, which
would then be ignored by the server application, a waste of network
bandwidth.

Since, in order to successfully use TLS 1.3 early data, the application
must introduce calls to SSL_read_early_data(), it is not much additional
burden to require that the application also calls
SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
so closes this scenario where early data packets would be sent on
the wire but ignored.

Update SSL_read_early_data.pod accordingly, and make s_server and
our test programs into applications that are compliant with the new
requirements on applications that use early data.

Fixes #4725

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5483)
2018-02-28 21:47:09 -06:00
..
HOWTO Add EC key generation paragraph in doc/HOWTO/keys.txt 2017-08-01 22:28:32 +02:00
man1 Update copyright year 2018-02-27 13:59:42 +00:00
man3 Do not set a nonzero default max_early_data 2018-02-28 21:47:09 -06:00
man5 Fixes #4459 "issuserAltName" documentation typo. 2017-10-05 21:30:59 +02:00
man7 STORE: Add documentation on search criteria 2018-02-23 07:40:42 +01:00
dir-locals.example.el Adjust the general fill-column in doc/dir-locals.example.el 2015-09-08 00:59:50 +02:00
fingerprints.txt RT3802: Fixes typos in doc/crypto/ 2015-05-03 08:51:23 -04:00
openssl-c-indent.el Fix typo in documents 2017-08-01 09:30:11 +10:00
README More typo fixes 2017-03-29 07:14:29 +02:00

README 

README  This file

fingerprints.txt
        PGP fingerprints of authorised release signers

standards.txt
        Moved to the web, https://www.openssl.org/docs/standards.html

HOWTO/
        A few how-to documents; not necessarily up-to-date

man1/
        The openssl command-line tools; start with openssl.pod

man3/
        The SSL library and the crypto library

man5/
        File formats

man7/
        Overviews; start with crypto.pod and ssl.pod, for example
        Algorithm specific EVP_PKEY documentation.

Formatted versions of the manpages (apps,ssl,crypto) can be found at
        https://www.openssl.org/docs/manpages.html