6.5.3 Zero-roundtrip mode

Under TLS 1.3, when the client has already connected to the server and is resuming a session, it can start transmitting application data during handshake. This is called zero round-trip time (0-RTT) mode, and the application data sent in this mode is called early data. The client can send early data with gnutls_record_send_early_data. The client should call this function before calling gnutls_handshake and after calling gnutls_session_set_data.

Note, however, that early data has weaker security properties than normal application data sent after handshake, such as lack of forward secrecy, no guarantees of non-replay between connections. Thus it is disabled on the server side by default. To enable it, the server needs to:

  1. Set GNUTLS_ENABLE_EARLY_DATA on gnutls_init. Note that this option only has effect on server.
  2. Enable anti-replay measure. See Anti-replay protection for the details.

The server caches the received early data until it is read. To set the maximum amount of data to be stored in the cache, use gnutls_record_set_max_early_data_size. After receiving the EndOfEarlyData handshake message, the server can start retrieving the received data with gnutls_record_recv_early_data. You can call the function either after the handshake is complete, or through a handshake hook (gnutls_handshake_set_hook_function).

When sending early data, the client should respect the maximum amount of early data, which may have been previously advertised by the server. It can be checked using gnutls_record_get_max_early_data_size, right after calling gnutls_session_set_data.

After sending early data, to check whether the sent early data was accepted by the server, use gnutls_session_get_flags and compare the result with GNUTLS_SFLAGS_EARLY_DATA. Similarly, on the server side, the same function and flag can be used to check whether it has actually accepted early data.

