The wolfSSL implementation of DTLS 1.3 supports Early Data or 0-RTT Data. Early Data is application data that can be sent by the client with the very first ClientHello message. It is also called 0-RTT Data because it requires 0 Round Trip Time before application data can be sent. To utilize Early Data in DTLS 1.3, the server needs to omit the cookie exchange when using a PSK connection. The handshake using Early Data is presented in the following figure.
Client Server
ClientHello
+ early_data
+ key_share
+ psk_key_exchange_modes
+ pre_shared_key
Early Data -------->
ServerHello
+ pre_shared_key
+ key_share
EncryptedExtensions
+ early_data
Finished
<-------- Application Data
EndOfEarlyData
Finished -------->
Application Data <-------> Application Data
To use DTLS 1.3 Early Data in wolfSSL without the cookie exchange, the server needs to be modified:
- Compile wolfSSL with WOLFSSL_DTLS13_NO_HRR_ON_RESUME defined
- When compiling with configure add CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME
- When compiling with user settings add #define WOLFSSL_DTLS13_NO_HRR_ON_RESUME
- Call wolfSSL_dtls13_no_hrr_on_resume(ssl, 1) on the WOLFSSL object to disable the cookie exchange on resumption
- Continue like with a normal connection
Early Data is protected by using the cipher material associated with the PSK (pre-shared key). This can either be the cipher material of the previous connection when using a ticket or out-of-band cipher material when using a real PSK. As a result of using previous cipher material, Early Data can compromise PFS (Perfect Forward Secrecy).
For any questions about DTLS 1.3 and Early Data in wolfSSL, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now