Nginx 1.15.6 with openssl 1.1.1 , EarlyData not sent

1
votes

We have set " ssl_early_data on; " and "proxy_set_header Early-Data $ssl_early_data ;" in nginx 1.15.6 config built with openssl 1.1.1 but when we are running the below command , it is showing EarlyData is not Sent. any idea how to resolve this issue?

openssl s_client -connect www.rupeevest.com:443

SSL handshake has read 4693 bytes and written 399 bytes

Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent

Verify return code: 0 (ok)

1
nginxopenssltls1.3

1 Answers

3
votes

In order to send "early-data", client and server must support PSK exchange mode (session cookies). See https://tools.ietf.org/html/rfc8446#section-2.3

To verify using OpenSSL, as an use-case example, first save the session to a file, next use that session file and send early data (the HTTP request) to the server.

$ host=www.example.org # replace with your server name
$ echo -e "HEAD / HTTP/1.1\r\nHost: $host\r\nConnection: close\r\n\r\n" > request.txt
$ openssl s_client -connect $host:443 -tls1_3 -sess_out session.pem -ign_eof < request.txt
$ openssl s_client -connect $host:443 -tls1_3 -sess_in session.pem -early_data request.txt

Note your server must support TLS 1.3 and 0-RTT or the example won't work.

Hope this helps!