0

I have an application written in Delphi which attaches client-side winhttp.dll, on server side it uses mORMot (SOA/ORM client-server library which attaches "http.sys" for web server functionality). The next step will be also a web-client written in JS.

So, for every normal connection with ~100ms latency, will be > 350ms with a SSL/TLS handshake included.

I read that thru "session resumption" and "false start"(by reusing certificate and pushing data faster) latency can be something like < 200ms, which is a very big gain for me.

So my question is: "http.sys"(server) in combination with "winhttp.dll"(client) can use these advancements? If yes, from which version?

Note: I suppose that starting with Win8.1 and Win Server 2012 this is true, but I can't find any docs, only that >= IIS 8.5 has session resumption.

emk
  • 11
  • 1
  • 3
  • Every implementation of SSL I have ever used in over 20 years has supported session resumption, in every version on every platform. I don't know what you mean by 'false start'. Unclear what you're asking. – user207421 Oct 03 '16 at 01:00
  • 1
    1. false start = [https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00](https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00); 2. Session resumption was added to IIS in version 8.5 [https://social.technet.microsoft.com/Forums/windows/en-US/f4aee519-d20f-48c3-983a-03732f687d40/configure-iis-85-tls-session-resumption?forum=winservergen](https://social.technet.microsoft.com/Forums/windows/en-US/f4aee519-d20f-48c3-983a-03732f687d40/configure-iis-85-tls-session-resumption?forum=winservergen) – emk Oct 04 '16 at 09:45

1 Answers1

0

I'm trying to find documentation on this as well and it's definitely hard to come by. IISpeed.com just says:

"Configure forward secrecy ciphers to enable TLS False Start." (https://www.iispeed.com/pagespeed/recommendations)

Here are some PowerShell scripts that might help. Use with discretion - https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Ilya Grigorik goes into a little more detail as to what browsers require for TLS False Start:

To enable TLS False Start across all browsers the server should advertise a list of supported protocols via the ALPN extension—e.g., "h2, http/1.1"—and be configured to support and prefer cipher suites that enable forward secrecy. (https://hpbn.co/transport-layer-security-tls/#deploying-tls-false-start)

A well-tuned TLS deployment should add at most one extra roundtrip for negotiating the TLS connection, regardless of whether it is new or resumed, and avoid all other latency pitfalls: configure session resumption, and enable forward secrecy to enable TLS False Start. (https://hpbn.co/transport-layer-security-tls/#enable-1-rtt-tls-handshakes)

However, I haven't found an implementation guide that walks you through step-by-step other than that page on www.hass.de. (H2 is included in Ilya's HTTP Header recommendation, but is not required for TLS False Start.)

Don't forget the other ways to optimize your server's TLS performance. Be sure and read through Ilya's book, https://hpbn.co/, or at least go through his checklists to take advantage of other performance gains. https://hpbn.co/transport-layer-security-tls/#optimizing-for-tls https://hpbn.co/transport-layer-security-tls/#enable-http-strict-transport-security-hsts

Jeff
  • 36
  • 4