On Tue, Jan 08, 2019 at 03:00:32PM +0100, Janusz Dziemidowicz wrote: > pt., 4 sty 2019 o 11:59 Olivier Houchard <ohouch...@haproxy.com> napisa??(a): > > I understand the concern. > > I checked and both nghttp2 and nginx disable the replay protection. The idea > > is you're supposed to allow early data only on harmless requests anyway, ie > > ones that could be replayed with no consequence. > > Sorry for the late reply, I was pondering the problem ;) I'm pretty ok > with this patch, especially since others seem to do the same. And my > use case is DNS-over-TLS, which has no problems with replays anyway ;) > > However, I believe in general this is a bit more complicated. RFC 8446 > described this in detail in section 8: > https://tools.ietf.org/html/rfc8446#section-8 > My understanding is that RFC highly recommends anti-replay with 0-RTT. > It seems that s_server implements single use tickets, which is exactly > what is in section 8.1. The above patch disables anti-replay > completely in haproxy, which might warrant some updates to > documentation about allow-0rtt option? >
Hi Janusz, Yes indeed, I thought I documented it better than that, but obviously I didn't :) The allow-0rtt option was added before OpenSSL added anti-replay protection, and I'm pretty sure the RFC wasn't talking about it yet, it was mostly saying it was a security concern, so it was designed with "only allow it for what would be safe to replay", and the documentation should certainly reflect that. I will make it explicit. Thanks a lot ! Olivier