The wolfSSL implementation of DTLS 1.3 supports Early Data or 0-RTT Data. Early Data is application data that can be sent by the client with the very first ClientHello message. It is also called 0-RTT Data because it requires 0 Round Trip Time before application data can be sent. To utilize Early Data in DTLS 1.3, the server needs to omit the cookie exchange when using a PSK connection. The handshake using Early Data is presented in the following figure.
Client Server ClientHello + early_data + key_share + psk_key_exchange_modes + pre_shared_key Early Data --------> ServerHello + pre_shared_key + key_share EncryptedExtensions + early_data Finished <-------- Application Data EndOfEarlyData Finished --------> Application Data <-------> Application Data
To use DTLS 1.3 Early Data in wolfSSL without the cookie exchange, the server needs to be modified:
- Compile wolfSSL with WOLFSSL_DTLS13_NO_HRR_ON_RESUME defined
- When compiling with configure add CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME
- When compiling with user settings add #define WOLFSSL_DTLS13_NO_HRR_ON_RESUME
- Call wolfSSL_dtls13_no_hrr_on_resume(ssl, 1) on the WOLFSSL object to disable the cookie exchange on resumption
- Continue like with a normal connection
Early Data is protected by using the cipher material associated with the PSK (pre-shared key). This can either be the cipher material of the previous connection when using a ticket or out-of-band cipher material when using a real PSK. As a result of using previous cipher material, Early Data can compromise PFS (Perfect Forward Secrecy).
Download wolfSSL Now