ssl_early_data
The `ssl_early_data` directive enables or disables the use of TLS early data in NGINX.
Description
The ssl_early_data directive controls the handling of early data in TLS 1.3 connections for NGINX. Early data allows clients to send data immediately after initiating the handshake, notably benefiting scenarios where a client wants to send a request before the handshake completes, potentially reducing latency for certain operations such as HTTP/2 and QUIC. When enabled, up to 2^14 bytes of early data can be sent from the client to the server, provided the server is configured appropriately to handle it.
Setting the directive as 'on' enables the acceptance of early data, which should be combined with care regarding potential replay attacks, as early data does not guarantee freshness of the data being sent. Policies such as application-level idempotency checks may need to be implemented to mitigate risks associated with accepting early data. It's important to note that not all clients may support or appropriately handle early data, and its effectiveness can vary based on the traffic patterns and use cases of the web application.
This directive may be used in the http and server contexts, impacting how connections are negotiated and how the early data is processed during TLS sessions.
Config Example
server {
listen 443 ssl;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_early_data on;
}Enabling early data may expose the application to replay attacks; ensure that idempotency is properly handled.
Not all clients support early data, which may lead to inconsistent behavior if used broadly across different user agents.