[gnutls-devel] TCP Fast Open

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jul 22 21:56:48 CEST 2016

On Thu 2016-07-21 18:14:57 +0200, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> Yes, you cannot achieve 0-rtt with TLS 1.2 as it is now. For that TLS
> 1.3 will be required.

0-rtt for TLS 1.3 will only work in a situation where the client has
already completed a prior TLS handshake with the server (it needs

Please be aware that pretty much all data sent in a 0-rtt flow on TLS
1.3 will have a range of security properties that differ from
(specifically: are worse than) what's normally expected from traffic in
a TLS flow.  For example, replay protection and forward secrecy
of data in a 0-rtt flow are worse than data in a normal TLS session.

> However, since TLS 1.3 is a completely new protocol (even though its
> name suggests a minor improvement, it will share very little code with
> a TLS 1.2 implementation) and is still under revision, I'll wait a
> little more for the protocol draft to settle down before going into
> any implementation planning.

fwiw, i think the draft has settled down a lot.  at the IETF hackathon
last week, there were 6 implementations all built against draft-14, and
they had most of the full 6×6 interop grid checked off successfully.


More information about the Gnutls-devel mailing list