The full TLS 1.2 handshake requires 2 round-trips to complete, and when combined with TCP’s SYN and SYN-ACK negotiation it extends to 3 full round-trips. While, TLS 1.3 reduces that to two round-trips when under TCP, it still adds considerable latency, making the protocol unsuitable for certain applications.
To optimize the handshake latency, in client side, it is possible to take
advantage of the TCP fast open [RFC7413] mechanism on operating
systems that support it. That can be done either by manually crafting the push and pull
callbacks, or by utilizing gnutls_transport_set_fastopen. In that
case the initial TCP handshake is eliminated, reducing the TLS 1.2 handshake round-trip
to 2, and the TLS 1.3 handshake to a single round-trip.
Note, that when this function is used, any connection failures will be reported during the
gnutls_handshake function call with error code
session: is a
fd: is the session’s socket descriptor
connect_addr: is the address we want to connect to
connect_addrlen: is the length of
flags: must be zero
Enables TCP Fast Open (TFO) for the specified TLS client session.
That means that TCP connection establishment and the transmission
of the first TLS client hello packet are combined. The
peer’s address must be specified in
and the socket specified by
fd should not be connected.
TFO only works for TCP sockets of type AF_INET and AF_INET6.
If the OS doesn’t support TCP fast open this function will result
to gnutls using
connect() transparently during the first write.
Note: This function overrides all the transport callback functions.
If this is undesirable, TCP Fast Open must be implemented on the user
callback functions without calling this function. When using
this function, transport callbacks must not be set, and
must not be called.
On GNU/Linux TFO has to be enabled at the system layer, that is in /proc/sys/net/ipv4/tcp_fastopen, bit 0 has to be set.
This function has no effect on server sessions.
When restricted to TLS 1.2, and non-resumed sessions, it is possible to further reduce the round-trips to a single one by taking advantage of the False Start TLS extension. This can be enabled by setting the GNUTLS_ENABLE_FALSE_START flag on gnutls_init.
Under TLS 1.3, the server side can start transmitting before the handshake is complete (i.e., while the client Finished message is still in flight), when no client certificate authentication is requested. This, unlike false start, is part of protocol design with no known security implications. It can be enabled by setting the GNUTLS_ENABLE_EARLY_START on gnutls_init, and the gnutls_handshake function will return early, allowing the server to send data earlier.