Transport Layer Security (TLS) False Start
RFC 7918
Internet Engineering Task Force (IETF) A. Langley
Request for Comments: 7918 N. Modadugu
Category: Informational B. Moeller
ISSN: 2070-1721 Google
August 2016
Transport Layer Security (TLS) False Start
Abstract
This document specifies an optional behavior of Transport Layer
Security (TLS) client implementations, dubbed "False Start". It
affects only protocol timing, not on-the-wire protocol data, and can
be implemented unilaterally. A TLS False Start reduces handshake
latency to one round trip.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7918.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Langley, et al. Informational [Page 1]
RFC 7918 TLS False Start August 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. False Start Compatibility . . . . . . . . . . . . . . . . . . 4
4. Client-Side False Start . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5.1. Symmetric Cipher . . . . . . . . . . . . . . . . . . . . 6
5.2. Protocol Version . . . . . . . . . . . . . . . . . . . . 7
5.3. Key Exchange and Client Certificate Type . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 10
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
A full handshake in TLS protocol versions up to TLS 1.2 [RFC5246]
requires two full protocol rounds (four flights) before the handshake
is complete and the protocol parties may begin to send application
data. Thus, using TLS can add a latency penalty of two network
round-trip times for application protocols in which the client sends
data first, such as HTTP [RFC7230]. Figure 1 (copied from [RFC5246])
shows the message flow for a full handshake.
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Figure 1: Message Flow for a Full Handshake
Langley, et al. Informational [Page 2]
RFC 7918 TLS False Start August 2016
This document describes a technique that alleviates the latency
burden imposed by TLS: the client-side TLS False Start. If certain
conditions are met, the client can start to send application data
Show full document text