Introduction: To ensure data security, the client and the server conduct the TLS handshake first. What can be done to reduce the bandwidth consumption of the TLS handshake?
Editor’s note: BabaSSL is an open source cryptographic library product. It is open source on GitHub and draganolis community. It is added to the SIG group of draganolis business secret software stack, and is one of the core components of Anolis Business secret OS. Zhang Chenglong (Keyi) is a technical expert at Ant Group, responsible for BabaSSL cryptographic library products and a contributor to OpenSSL.
preface
The construction of 5G networks has accelerated the development of mobile Internet applications, including short videos, online education and the Internet of things. However, in real life, there are still scenarios with poor network signals, such as underground shopping malls, garages, and subways, or in a weak network environment caused by network congestion, the application is slow to load, resulting in poor user experience. At this time, it is necessary to optimize the weak network environment, and one of the means is to reduce the network data transmission.
To ensure data security, TLS/SSL is used for encrypted transmission. When a client accesses the server background, the client performs a TLS handshake with the server. In a TLS full handshake, the server sends a certificate chain for identity authentication, and most of the data transferred during the handshake comes from the certificate.
What can be done to reduce bandwidth consumption for TLS handshakes? If certificates can be compressed, or even “disappeared,” then data transfer can be greatly reduced. RFC 8879 TLS Certificate Compression is intended to address this problem by providing Certificate Compression in TLS 1.3 handshakes.
BabaSSL is an open source cryptographic library product. It is open source on GitHub and OpenAnolis community. It is added to the SIG group of OpenAnolis business secret software stack, and is one of the core components of Anolis business secret OS. Replace OpenSSL as the default base password library; Based on OpenSSL 1.1 and maintaining compatibility, a series of autonomous and controllable security features are implemented on the basis of OpenSSL, including various state secret algorithms, implementation of state secret standards and a large number of features to improve the security strength of the key. BabaSSL already supports TLS certificate compression, while OpenSSL does not.
This section describes TLS certificate compression
1. If the client supports certificate compression, include the compress_certificate extension in the ClientHello message, which contains a list of supported compression algorithms;
2. The server receives ClientHello and finds that the server supports Certificate compression. If the server supports Certificate compression and supports the compression method declared by the client, the server uses this algorithm to compress the Certificate message.
3. The server sends the CompressedCertificate message instead of the original Certificate message. The CompressedCertificate message contains the compression algorithm, the decompressed length and the CompressedCertificate message.
4. After receiving the CompressedCertificate message, the client uses algorithm to decompress the certificate. If the decompression succeeds, the client performs subsequent processing; otherwise, the client closes the connection and sends a bad_certificate warning. The server sends a Certificate message, and the client sends a CompressedCertificate message.
Compression algorithms defined in the standard:
In addition to the three algorithms defined in the RFC, users can use other algorithms, ranging from 16384 to 65535 for their own use.
Actual TLS certificate compression
BabaSSL password library supports TLS certificate compression. You need to enable this function when building BabaSSL and add enable-cert-compression after config.
You can add a certificate compression algorithm when setting up SSL_CTX as shown in the following code:
#include <openssl/ssl.h> #include <zlib.h> static int zlib_compress(SSL *s, const unsigned char *in, size_t inlen, unsigned char *out, size_t *outlen) { if (out == NULL) { *outlen = compressBound(inlen); return 1; } if (compress2(out, outlen, in, inlen, Z_DEFAULT_COMPRESSION) ! = Z_OK) return 0; return 1; } static int zlib_decompress(SSL *s, const unsigned char *in, size_t inlen, unsigned char *out, size_t outlen) { size_t len = outlen; if (uncompress(out, &len, in, inlen) ! = Z_OK) return 0; if (len ! = outlen) return 0; return 1; } int main() { const SSL_METHOD *meth = TLS_client_method(); SSL_CTX *ctx = SSL_CTX_new(meth); /* Configure the certificate, private key... */ /* Example: SSL_CTX_add_cert_compression_alg(CTX, TLSEXT_cert_compression_zlib, zlib_compress, zlib_decompress); SSL *con = SSL_new(ctx); / * shake hands... */ return 0; }Copy the codeYou can also use s_client and s_server provided by BabaSSL to use TLS certificate compression:
/opt/babassl/bin/openssl s_server-accept 127.0.0.1:34567 -cert server.crt -key server.key -tls1_3 -cert_comp zlib /opt/babassl/bin/openssl s_client -connect 127.0.0.1:34567 -tls1_3 -cert_comp zlib-ign_eof -traceCopy the codeTest compression algorithm and compression rate
Configure the certificate chain, CA certificate, intermediate CA certificate, and domain name certificate on the server, TLS 1.3 handshake, and enable certificate compression. The compression rate of each compression algorithm is as follows:
Some compression algorithms support setting dictionaries, such as Brotli and ZSTD. You can calculate the dictionary content in advance, prebury it to the client and server, and then use the dictionary during compression and decompression to make the certificate chain “disappear” perfectly. For example, when the ZSTD + dictionary is used in the preceding table, the Certficate message is 2666 bytes before compression and only 18 bytes after compression.
After the certificate compression function is enabled, transmission during handshake is greatly reduced, especially when dictionary is used. For example, ZSTD + dictionary data is as follows:
Turn off certificate compression, handshake total transfer: 3331 bytes
Enable certificate compression: Handshake Total transmission: 698 bytes
Compression rate: 698/3331 * 100% = 20.95%, and the handshake bandwidth is reduced by nearly 80%.
conclusion
There is no need to send a certificate for TLS session reuse, so certificate compression can be optimized for a full handshake. In the bidirectional authentication scenario, that is, client authentication is enabled on the server. If TLS certificate compression is enabled on both the client and server, the compression effect is more obvious, saving more than 80% of the bandwidth in THE TLS handshake. BabaSSL also supports Compact TLS 1.3, a Compact version of TLS 1.3, with minimal bandwidth usage while maintaining protocol isomorphism.
The original link
This article is the original content of Aliyun and shall not be reproduced without permission.