More info on ssl_early_data security
|Reported by:||Sam Bull||Owned by:|
I'm looking at the RFC relating to 0-RTT, and trying to understand how ssl_early_data can be used safely.
If I understand correctly, the main replay issues are not an issue for idempotent actions. Therefore it should be safe to enable for static assets and any pages with fastcgi_cache enabled, etc.
However, it also talks about indirect attacks from a large number of replays, and says that a server "MUST ensure that it would accept 0-RTT for the same 0-RTT handshake at most once".
So, my question is: Does Nginx meet this last requirement? And, please add this information to the ssl_early_data documentation.