本文分享自天翼云开发者社区《boringssl中0-RTT的错误码》.作者:沈****扬
在TLS协议中,0-RTT(零往返时间)是指在某些情况下,客户端可以在第一个往返(RTT)中就开始发送加密的应用数据,而不需要等待完整的TLS握手完成。这种机制允许客户端在重新连接到服务器时,利用之前会话中缓存的信息(如会话票据、密钥等),来减少连接建立的延迟。
0-RTT主要分为session和session ticket两种方式。在实际应用中,我们经常需要统计0-RTT比率和0-RTT建连失败的原因。如果你使用的是boringssl库进行ssl加解密,可以使用boringssl读取early_data_reason,来定位0-RTT是否成功以及失败的原因。
enum ssl_early_data_reason_t BORINGSSL_ENUM_INT {
// The handshake has not progressed far enough for the 0-RTT status to be
// known.
ssl_early_data_unknown = 0,
// 0-RTT is disabled for this connection.
ssl_early_data_disabled = 1,
// 0-RTT was accepted.
ssl_early_data_accepted = 2,
// The negotiated protocol version does not support 0-RTT.
ssl_early_data_protocol_version = 3,
// The peer declined to offer or accept 0-RTT for an unknown reason.
ssl_early_data_peer_declined = 4,
// The client did not offer a session.
ssl_early_data_no_session_offered = 5,
// The server declined to resume the session.
ssl_early_data_session_not_resumed = 6,
// The session does not support 0-RTT.
ssl_early_data_unsupported_for_session = 7,
// The server sent a HelloRetryRequest.
ssl_early_data_hello_retry_request = 8,
// The negotiated ALPN protocol did not match the session.
ssl_early_data_alpn_mismatch = 9,
// The connection negotiated Channel ID, which is incompatible with 0-RTT.
ssl_early_data_channel_id = 10,
// Value 11 is reserved. (It has historically |ssl_early_data_token_binding|.)
// The client and server ticket age were too far apart.
ssl_early_data_ticket_age_skew = 12,
// QUIC parameters differ between this connection and the original.
ssl_early_data_quic_parameter_mismatch = 13,
// The application settings did not match the session.
ssl_early_data_alps_mismatch = 14,
// The value of the largest entry.
ssl_early_data_reason_max_value = ssl_early_data_alps_mismatch,
};这边使用常用的状态码举例:
(1)ssl_early_data_accepted,表示0-rtt建立按成功
(2)ssl_early_data_alpn_mismatch,表示请求的alpn没有匹配上
(3)ssl_early_data_no_session_offered,表示请求没有提供相关的session信息,无法建立0-RTT连接
