You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Fei Deng <du...@apache.org> on 2023/05/23 20:14:05 UTC
Changes to 0-RTT Early Data configurations
Hi All,
It's been requested that the configuration for 0-RTT early data needs to be
changeable per SNI. I've been working on this feature, and the following
example shows the changes I made. Please share your thoughts on this.
Note:
1. The old config still exists, it is a general setting for all tls
connections.
2. sni.yaml can enable/disable 0-rtt per fqdn, this acts as an override
of the general config.
Examples:
1. proxy.config.ssl.server.max_early_data = 16384
- blank sni.yaml -> old behavior, all connections support 0-rtt
- sni.yaml specifies server_max_early_data = 0 for example.com ->
0-rtt disabled for example.com, all other connections support 0-rtt
2. proxy.config.ssl.server.max_early_data = 0
- blank sni.yaml -> old behavior, all connections doesn't support
0-rtt
- sni.yaml specifies server_max_early_data = 16384 for example.com
-> 0-rtt enabled only for example.com, all other connections doesn’t
support 0-rtt
Re: Changes to 0-RTT Early Data configurations
Posted by Fei Deng <du...@apache.org>.
No, just making sure this is ok with everyone. 😉
On Tue, May 23, 2023 at 10:43 PM Masaori Koshiba <ma...@apache.org> wrote:
> Looks reasonable to me. Some configs in the sni.yaml have almost the same
> behavior, overriding records.config (yaml) from sni.yaml.
> - e.g. verify_server_policy, verify_server_properties.
>
> Do you have any concerns with this approach?
>
> — Masaori
>
> On Wed, May 24, 2023 at 5:14 AM Fei Deng <du...@apache.org> wrote:
>
> > Hi All,
> >
> > It's been requested that the configuration for 0-RTT early data needs to
> be
> > changeable per SNI. I've been working on this feature, and the following
> > example shows the changes I made. Please share your thoughts on this.
> >
> > Note:
> >
> > 1. The old config still exists, it is a general setting for all tls
> > connections.
> > 2. sni.yaml can enable/disable 0-rtt per fqdn, this acts as an
> override
> > of the general config.
> >
> > Examples:
> >
> > 1. proxy.config.ssl.server.max_early_data = 16384
> > - blank sni.yaml -> old behavior, all connections support 0-rtt
> > - sni.yaml specifies server_max_early_data = 0 for example.com ->
> > 0-rtt disabled for example.com, all other connections support
> 0-rtt
> > 2. proxy.config.ssl.server.max_early_data = 0
> > - blank sni.yaml -> old behavior, all connections doesn't support
> > 0-rtt
> > - sni.yaml specifies server_max_early_data = 16384 for example.com
> > -> 0-rtt enabled only for example.com, all other connections
> doesn’t
> > support 0-rtt
> >
>
Re: Changes to 0-RTT Early Data configurations
Posted by Masaori Koshiba <ma...@apache.org>.
Looks reasonable to me. Some configs in the sni.yaml have almost the same
behavior, overriding records.config (yaml) from sni.yaml.
- e.g. verify_server_policy, verify_server_properties.
Do you have any concerns with this approach?
— Masaori
On Wed, May 24, 2023 at 5:14 AM Fei Deng <du...@apache.org> wrote:
> Hi All,
>
> It's been requested that the configuration for 0-RTT early data needs to be
> changeable per SNI. I've been working on this feature, and the following
> example shows the changes I made. Please share your thoughts on this.
>
> Note:
>
> 1. The old config still exists, it is a general setting for all tls
> connections.
> 2. sni.yaml can enable/disable 0-rtt per fqdn, this acts as an override
> of the general config.
>
> Examples:
>
> 1. proxy.config.ssl.server.max_early_data = 16384
> - blank sni.yaml -> old behavior, all connections support 0-rtt
> - sni.yaml specifies server_max_early_data = 0 for example.com ->
> 0-rtt disabled for example.com, all other connections support 0-rtt
> 2. proxy.config.ssl.server.max_early_data = 0
> - blank sni.yaml -> old behavior, all connections doesn't support
> 0-rtt
> - sni.yaml specifies server_max_early_data = 16384 for example.com
> -> 0-rtt enabled only for example.com, all other connections doesn’t
> support 0-rtt
>