Support for DTLS 1.3 early data

The wolfSSL implementation of DTLS 1.3 supports Early Data or 0-RTT Data. Early Data is application data that can be sent by the client with the very first ClientHello message. It is also called 0-RTT Data because it requires 0 Round Trip Time before application data can be sent. To utilize Early Data in DTLS 1.3, the server needs to omit the cookie exchange when using a PSK connection. The handshake using Early Data is presented in the following figure.

	Client                                      	Server
    	+ early_data
    	+ key_share
    	+ psk_key_exchange_modes
    	+ pre_shared_key
    	Early Data       	      -------->
                                               	      + pre_shared_key
                                                   	+ key_share
                                                  	+ early_data
                            	<--------   	      Application Data
    	Finished          	-------->
    	Application Data  	<------->    	      Application Data

To use DTLS 1.3 Early Data in wolfSSL without the cookie exchange, the server needs to be modified:

  • Compile wolfSSL with WOLFSSL_DTLS13_NO_HRR_ON_RESUME defined
    • When compiling with configure add CPPFLAGS=-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME
    • When compiling with user settings add #define WOLFSSL_DTLS13_NO_HRR_ON_RESUME
  • Call wolfSSL_dtls13_no_hrr_on_resume(ssl, 1) on the WOLFSSL object to disable the cookie exchange on resumption
  • Continue like with a normal connection

Early Data is protected by using the cipher material associated with the PSK (pre-shared key). This can either be the cipher material of the previous connection when using a ticket or out-of-band cipher material when using a real PSK. As a result of using previous cipher material, Early Data can compromise PFS (Perfect Forward Secrecy).

For any questions about DTLS 1.3 and Early Data in wolfSSL, please contact us at or call us at +1 425 245 8247.

Download wolfSSL Now