Learn about Centmin Mod LEMP Stack today
Register Now

Reused TLS1.3 but Early data was not sent

Discussion in 'Blogs & CMS usage' started by fablab, May 8, 2022.

Tags:
  1. fablab

    fablab New Member

    10
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    7:03 AM
    1.17.10
    10.3.23-1.el7.centos
    Hi everyone.

    I wanted to use 0-RTT on my 123.09beta01 Centmin v813.

    I followed the instructions on
    https://community.centminmod.com/threads/nginx-announce-nginx-1-15-4.15672/page-4#post-69543


    and included the following in my config
    Code:
      ssl_early_data on;
      proxy_set_header Early-Data $ssl_early_data;
    
    ( not sure if iI am supposed to, but I am not seeing a early-data header)

    Running the 1st command which connects and saves the session
    seems to be working well as I received the 2 (default) Post-Handshake New Session Ticket, however each
    gives me an unexpected Max Early Data: 0 ( I do not know if this is expected...)
    Running the 2nd command shows the session was reused, but no Early Data was not sent.
    What am I missing ??




    This is my nginx -V
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,585
    11,378
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,682
    Local Time:
    2:03 PM
    Nginx 1.21.x
    MariaDB 10.x
    Make sure you use Centmin Mod's openssl 1.1.1 version at /opt/openssl/bin/openssl and not system openssl version 1.0.2k at /usr/bin/openssl

    i.e.
    Code (Text):
    /opt/openssl/bin/openssl s_client -connect http2.domain.com:443 -sess_out session.pem
    

    and replay
    Code (Text):
    echo -n | /opt/openssl/bin/openssl s_client -connect http2.domain.com:443 -sess_in session.pem -early_data /tmp/https.txt
    
     
  3. fablab

    fablab New Member

    10
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    7:03 AM
    1.17.10
    10.3.23-1.el7.centos
    Hi George,

    Thanks for the top.
    Unfortunately, I have exactly the same results using /opt/openssl/bin/openssl on the server itself.

    ( for the record, I was testing from a separate OEL8.5 machine which has openssl 1.1.1k
    still, you are right, I just tested on the server itself with the system 1.0.2k , the 1st connection only does TLS1.2 handshake, and the 2nd command fails as the -early_data option is unsupported)

    but this is not what I was doing wrong. it must be something else :)
    any other tip?
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,585
    11,378
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,682
    Local Time:
    2:03 PM
    Nginx 1.21.x
    MariaDB 10.x
    Only OpenSSL 1.1.1 supports TLSv1.3. But TLSv1.3 early data isn't something I have tested much so no idea why.

    However, I just tested this myself on Centmin Mod and works fine for me

    /tmp/https.txt has following content
    Code (Text):
    GET / HTTP/1.1
    Host: domain.com:443

    Nginx vhost with 2 directives added above location context for /
    Code (Text):
      ssl_early_data on;
      proxy_set_header Early-Data $ssl_early_data;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    

    Code (Text):
    /opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_out session.pem
    
    excerpt...
    
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 5F87576B119D8FC9D6E2D3497753884A5A82025DE49EA432AEE9F08C656C6A85
        Session-ID-ctx:
        Resumption PSK: 0D4D9222D9B4F7CA27A92EB730C90E83C7133C3030806EC59B0CBAF2BD7FFF3A5C1B175CF71598C74D56770CFB105BC5
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 3600 (seconds)
        TLS session ticket:
        0000 - 84 38 94 93 20 d3 4d b0-e6 5e 35 fc 9e 88 51 73   .8.. .M..^5...Qs
        0010 - c4 c8 e2 f5 a8 98 82 a6-f4 eb 31 b4 cb b8 6a f3   ..........1...j.
        0020 - f7 ba 2c bd 9b 5f 03 e6-49 d7 35 28 9e 10 1b 15   ..,.._..I.5(....
        0030 - ef de 92 64 e3 88 4a eb-1e 93 13 61 24 6e 60 01   ...d..J....a$n`.
        0040 - 46 a0 c5 a5 b4 c5 6e 3c-0e be 67 ff aa 93 97 f6   F.....n<..g.....
        0050 - 4c 96 8c 4d e6 97 33 a5-f1 83 86 d0 e9 d6 f6 7c   L..M..3........|
        0060 - 50 96 b8 01 6f b2 a4 d9-2c 0e 35 ac bd 5f 38 a8   P...o...,.5.._8.
        0070 - 0d 1e 1e 9f bc 54 1e 05-77 fe 4d 4a e4 ba ea 24   .....T..w.MJ...$
        0080 - d4 1e 6a 58 67 2e 41 b3-d6 de af dc 22 75 b1 b0   ..jXg.A....."u..
        0090 - df cf 18 56 29 51 bb d1-14 ff 9e d2 54 40 a8 00   ...V)Q......T@..
        00a0 - 3e 23 3f c2 b1 bb c6 be-65 bd e3 d9 68 af 5d 06   >#?.....e...h.].
        00b0 - ad b0 e6 cd 3c 69 b9 6a-e1 1a bc 34 68 09 0b cf   ....<i.j...4h...
        00c0 - f2 cf 20 f4 6b 87 0d 1e-43 a8 1d d5 07 25 7c 27   .. .k...C....%|'
        00d0 - f6 e6 44 4f 2e 95 fb f6-cf c4 15 84 7c cf 47 b1   ..DO........|.G.
        00e0 - 54 5c 8a 7c 5b 5e 2f 84-70 b4 b5 0b 79 49 bd 41   T\.|[^/.p...yI.A
    
        Start Time: 1651995064
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
        Extended master secret: no
        Max Early Data: 16384
    ---
    read R BLOCK
    

    with
    Code (Text):
    Max Early Data: 16384


    replay
    Code (Text):
    echo -n | /opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_in session.pem -early_data /tmp/https.txt
    
    ---
    Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was accepted
    Verify return code: 18 (self signed certificate)
    ---
    DONE
    

    with
    Code (Text):
    Early data was accepted


    Tested this on Centmin Mod with CentOS 7.9 64bit same server as well as tested it on client server with Alma Linux 8.5 with OpenSSL 1.1.1
     
  5. fablab

    fablab New Member

    10
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    7:03 AM
    1.17.10
    10.3.23-1.el7.centos
    hum...
    I'll try on a fresh new test vhost then.
    I'll upgrade first to the 124.00stable first :) Congrats on the 2 x releases ....
    Thanks again George.



     
  6. fablab

    fablab New Member

    10
    1
    3
    May 23, 2020
    Ratings:
    +2
    Local Time:
    7:03 AM
    1.17.10
    10.3.23-1.el7.centos
    Great news. on a fresh vhost, Early data was accepted.
    thank you all... now we only have to wait for curl and chrome to support 0-RTT [ FF already does ]