Next: , Previous: , Up: Setting up the transport layer   [Contents][Index]

6.5.2 Reducing round-trips

The full TLS 1.2 handshake requires 2 round-trips to complete, and when combined with TCP’s SYN and SYN-ACK negotiation it extends to 3 full round-trips. While, the abbreviated (resumed) TLS handshake drops that to 2.5 round-trips, it still adds considerable latency, reducing its applicability to certain applications.

In client side, it is possible to take advantage of the TCP fast open [RFC7413] mechanism on operating systems that support it. That can be done either by manually crafting the push and pull callbacks, or by utilizing gnutls_transport_set_fastopen. In that case the initial TCP handshake is eliminated, reducing the TLS handshake round-trip to 2. Note, that in that case any connection failures will be reported during the gnutls_handshake function call with error code GNUTLS_E_PUSH_ERROR.

Function: void gnutls_transport_set_fastopen (gnutls_session_t session, int fd, struct sockaddr * connect_addr, socklen_t connect_addrlen, unsigned int flags)

session: is a gnutls_session_t type.

fd: is the session’s socket descriptor

connect_addr: is the address we want to connect to

connect_addrlen: is the length of connect_addr

flags: must be zero

Enables TCP Fast Open (TFO) for the specified TLS client session. That means that TCP connection establishment and the transmission of the first TLS client hello packet are combined. The peer’s address must be specified in connect_addr and connect_addrlen , and the socket specified by fd should not be connected.

TFO only works for TCP sockets of type AF_INET and AF_INET6. If the OS doesn’t support TCP fast open this function will result to gnutls using connect() transparently during the first write.

Note: This function overrides all the transport callback functions. If this is undesirable, TCP Fast Open must be implemented on the user callback functions without calling this function. When using this function, transport callbacks must not be set, and gnutls_transport_set_ptr() or gnutls_transport_set_int() must not be called.

On GNU/Linux TFO has to be enabled at the system layer, that is in /proc/sys/net/ipv4/tcp_fastopen, bit 0 has to be set.

This function has no effect on server sessions.

Since: 3.5.3

In non-resumed sessions it is possible to further reduce the round-trips to a single one by taking advantage of the False Start TLS extension. This can be enabled by setting the GNUTLS_ENABLE_FALSE_START flag on gnutls_init.

Next: , Previous: , Up: Setting up the transport layer   [Contents][Index]