cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH/RFC] Support for TLS False Start

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Sat, 14 Feb 2015 19:06:21 +0100

Hello,

I've implemented new libcurl/curl options for enabling TLS false start [0].
AFAICT only nss supports it so only the nss backend implements the new option.

Both chromium and firefox enable false start only if the server also suports
NPN/ALPN or if it supports forward secrecy in order to avoid weird/broken SSL
implementations. Also, since there is a chance that application data is sent to
an imposter (since we send the data before verifying the server's Finished
frame), it is also recommended to only enable false start when strong ciphers
are used. So I wonder, should we do all theses checks in libcurl too or just let
the user decide?

Anyway, see attached patches (I'm sending them during the freeze so that I can
get some comments early).

To verify that it works you can use wireshark to capture the TLS handshake. For
example, using curl on the server https://www.ghedini.me without false start,
the first "Application Data" comes after the server's "Change Cipher Spec":

10 0.167263 192.168.1.129 -> 149.154.152.214 TLSv1.2 640 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
11 0.279561 149.154.152.214 -> 192.168.1.129 TCP 66 443→36077 [ACK] Seq=3565 Ack=709 Win=15552 Len=0 TSval=390241702 TSecr=6631431
12 0.337845 149.154.152.214 -> 192.168.1.129 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message
13 0.338256 192.168.1.129 -> 149.154.152.214 TLSv1.2 177 Application Data

With false start enabled the "Application Data" comes before the "Change
Cipher Spec":

10 0.170108 192.168.1.129 -> 149.154.152.214 TLSv1.2 640 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
11 0.288298 149.154.152.214 -> 192.168.1.129 TCP 66 443→36080 [ACK] Seq=3565 Ack=709 Win=15552 Len=0 TSval=390260804 TSecr=6650533
12 0.288338 192.168.1.129 -> 149.154.152.214 TLSv1.2 177 Application Data
13 0.345018 149.154.152.214 -> 192.168.1.129 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message

Cheers

[0] https://tools.ietf.org/html/draft-bmoeller-tls-falsestart

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-diff attachment: 0001-url-add-CURLOPT_SSL_FALSESTART-option.patch

text/x-diff attachment: 0002-nss-add-support-for-TLS-False-Start.patch

text/x-diff attachment: 0003-curl-add-false-start-option.patch

application/pgp-signature attachment: Digital signature

Received on 2015-02-14

This message: [ Message body ]
Next message: Steve Holme: "RE: [PATCH] curl.1: --cert-status is also supported by OpenSSL now"
Previous message: Alessandro Ghedini: "[PATCH] curl.1: --cert-status is also supported by OpenSSL now"
Next in thread: Daniel Stenberg: "Re: [PATCH/RFC] Support for TLS False Start"
Reply: Daniel Stenberg: "Re: [PATCH/RFC] Support for TLS False Start"
Reply: Nick Zitzmann: "Re: [PATCH/RFC] Support for TLS False Start"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]