tls-earlydata.md (1687B)
1 --- 2 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 SPDX-License-Identifier: curl 4 Long: tls-earlydata 5 Help: Allow use of TLSv1.3 early data (0RTT) 6 Protocols: TLS 7 Added: 8.11.0 8 Category: tls 9 Multi: boolean 10 See-also: 11 - tlsv1.3 12 - tls-max 13 - ssl-sessions 14 Example: 15 - --tls-earlydata $URL 16 --- 17 18 # `--tls-earlydata` 19 20 Enable the use of TLSv1.3 early data, also known as '0RTT' where possible. 21 This has security implications for the requests sent that way. 22 23 This option can be used when curl is built to use GnuTLS, wolfSSL, quictls and 24 OpenSSL as a TLS provider (but not BoringSSL, AWS-LC, or rustls). 25 26 If a server supports this TLSv1.3 feature, and to what extent, is announced 27 as part of the TLS "session" sent back to curl. Until curl has seen such 28 a session in a previous request, early data cannot be used. 29 30 When a new connection is initiated with a known TLSv1.3 session, and that 31 session announced early data support, the first request on this connection is 32 sent *before* the TLS handshake is complete. While the early data is also 33 encrypted, it is not protected against replays. An attacker can send 34 your early data to the server again and the server would accept it. 35 36 If your request contacts a public server and only retrieves a file, there 37 may be no harm in that. If the first request orders a refrigerator 38 for you, it is probably not a good idea to use early data for it. curl 39 cannot deduce what the security implications of your requests actually 40 are and make this decision for you. 41 42 The amount of early data sent can be inspected by using the `--write-out` 43 variable `tls_earlydata`. 44 45 **WARNING**: this option has security implications. See above for more 46 details.