openssl/ssl
Benjamin Kaduk c39e4048b5 Do not set a nonzero default max_early_data
When early data support was first added, this seemed like a good
idea, as it would allow applications to just add SSL_read_early_data()
calls as needed and have things "Just Work".  However, for applications
that do not use TLS 1.3 early data, there is a negative side effect.
Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
derived from it) means that when generating a session ticket,
tls_construct_stoc_early_data() will indicate to the client that
the server supports early data.  This is true, in that the implementation
of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
necessarily indicate that the server application supports early data,
when the default value is nonzero.  In this case a well-intentioned
client would send early data along with its resumption attempt, which
would then be ignored by the server application, a waste of network
bandwidth.

Since, in order to successfully use TLS 1.3 early data, the application
must introduce calls to SSL_read_early_data(), it is not much additional
burden to require that the application also calls
SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
so closes this scenario where early data packets would be sent on
the wire but ignored.

Update SSL_read_early_data.pod accordingly, and make s_server and
our test programs into applications that are compliant with the new
requirements on applications that use early data.

Fixes #4725

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5483)
2018-02-28 21:47:09 -06:00
..
record Remove OSSLzu, and fix the one place that used it. 2018-02-23 16:49:59 -05:00
statem Tell the ciphers which DRBG to use for generating random bytes. 2018-02-28 21:20:01 +01:00
bio_ssl.c Add comments to NULL func ptrs in bio_method_st 2017-12-18 07:04:48 +10:00
build.info Move ssl/t1_ext.c to ssl/statem/extensions_cust.c 2017-04-07 13:41:04 +01:00
d1_lib.c More record layer conversions to use SSLfatal() 2017-12-08 16:42:02 +00:00
d1_msg.c Remove parentheses of return. 2017-10-18 16:05:06 +01:00
d1_srtp.c Move client parsing of ServerHello extensions into new framework 2016-12-08 17:18:25 +00:00
methods.c Drop support for OPENSSL_NO_TLS1_3_METHOD 2017-06-30 09:41:46 +01:00
packet_locl.h TLS1.3 Padding 2017-05-02 09:44:43 +01:00
packet.c Move ossl_assert 2017-08-03 10:48:00 +01:00
pqueue.c Update copyright header 2017-07-30 17:42:00 -04:00
s3_cbc.c Move ossl_assert 2017-08-03 10:48:00 +01:00
s3_enc.c Tell the ciphers which DRBG to use for generating random bytes. 2018-02-28 21:20:01 +01:00
s3_lib.c Update copyright year 2018-02-13 13:59:25 +00:00
s3_msg.c Update copyright year 2018-02-13 13:59:25 +00:00
ssl_asn1.c ssl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX. 2017-11-13 10:58:21 +01:00
ssl_cert_table.h Add RSA-PSS key certificate type. 2017-09-20 12:50:23 +01:00
ssl_cert.c Update copyright years on all files merged since Jan 1st 2018 2018-01-09 05:49:01 +01:00
ssl_ciph.c Copyright update of more files that have changed this year 2018-01-19 13:34:03 +01:00
ssl_conf.c Update copyright year 2018-02-13 13:59:25 +00:00
ssl_err.c Add TLSv1.3 post-handshake authentication (PHA) 2018-02-01 17:07:56 +00:00
ssl_init.c In OPENSSL_init_ssl(), run the base ssl init before OPENSSL_init_crypto() 2017-12-08 16:08:39 +01:00
ssl_lib.c Do not set a nonzero default max_early_data 2018-02-28 21:47:09 -06:00
ssl_locl.h Export keying material using early exporter master secret 2018-02-26 13:35:54 +00:00
ssl_mcnf.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_rsa.c Remove parentheses of return. 2017-10-18 16:05:06 +01:00
ssl_sess.c Consistent formatting for sizeof(foo) 2017-12-07 19:11:49 -05:00
ssl_stat.c Merge HRR into ServerHello 2017-12-14 15:06:37 +00:00
ssl_txt.c Remove parentheses of return. 2017-10-18 16:05:06 +01:00
ssl_utst.c Remove heartbeat support 2016-11-13 16:24:02 -05:00
t1_enc.c Tell the ciphers which DRBG to use for generating random bytes. 2018-02-28 21:20:01 +01:00
t1_lib.c Sanity check the ticket length before using key name/IV 2018-02-21 11:19:11 +00:00
t1_trce.c Add TLSv1.3 post-handshake authentication (PHA) 2018-02-01 17:07:56 +00:00
tls13_enc.c Tell the ciphers which DRBG to use for generating random bytes. 2018-02-28 21:20:01 +01:00
tls_srp.c Convert remaining functions in statem_clnt.c to use SSLfatal() 2017-12-04 13:31:48 +00:00