On 06.02.2015 18:50, Dennis Jacobfeuerborn wrote:
> On 06.02.2015 14:13, Lukas Tribus wrote:
>>> I tried to implement these recommendations but didn't seem to get
>>> results I was expecting. How exactly does one reliably test that the
>>> 1-RTT handshake is actually working?
>>
>> Enable TFO and announce "http/1.1" via NPN and ALPN, that should
>> do it.
>>
>> But your client will have to support all those features as-well (for
>> example TFO can't possibly work in Windows).
>>
>> You will have to capture the TLS handshake in wireshark to see
>> how fast it was (in terms of time and RTT's).
>
> This is really what I'm trying to get at. What is a specific way to test
> this? Which clients do support a 1-RTT handshake and what would a
> Wireshark session look like where the 1-RTT handshake succeeds compared
> to one which doesn't.
>
> There is a lot of information about this on the internet.
> All of it extremely vague. Surely there must be a way to come up with a
> test scenario that can verify such a setup more deterministically?
Case in point: In the attached capture it looks like tls false start is
working yet I actually haven't activated npn/alpn on the haproxy side
which means tls false start should fail, no?
Regards,
Dennis
No. Time Source Destination Protocol
Length Info
4 0.000219000 10.99.0.1 10.99.0.202 TLSv1.2 583
Client Hello
5 0.000490000 10.99.0.202 10.99.0.1 TLSv1.2 227
Server Hello, Change Cipher Spec, Encrypted Handshake Message
7 0.001503000 10.99.0.1 10.99.0.202 TLSv1.2 141
Change Cipher Spec, Encrypted Handshake Message
8 0.001594000 10.99.0.1 10.99.0.202 TLSv1.2 727
Application Data
10 0.002317000 10.99.0.202 10.99.0.1 TLSv1.2 231
Application Data
