1*6236dae4SAndroid Build Coastguard Worker--- 2*6236dae4SAndroid Build Coastguard Workerc: Copyright (C) Daniel Stenberg, <[email protected]>, et al. 3*6236dae4SAndroid Build Coastguard WorkerSPDX-License-Identifier: curl 4*6236dae4SAndroid Build Coastguard WorkerLong: tls-earlydata 5*6236dae4SAndroid Build Coastguard WorkerHelp: Allow use of TLSv1.3 early data (0RTT) 6*6236dae4SAndroid Build Coastguard WorkerProtocols: TLS 7*6236dae4SAndroid Build Coastguard WorkerAdded: 8.11.0 8*6236dae4SAndroid Build Coastguard WorkerCategory: tls 9*6236dae4SAndroid Build Coastguard WorkerMulti: boolean 10*6236dae4SAndroid Build Coastguard WorkerSee-also: 11*6236dae4SAndroid Build Coastguard Worker - tlsv1.3 12*6236dae4SAndroid Build Coastguard Worker - tls-max 13*6236dae4SAndroid Build Coastguard WorkerExample: 14*6236dae4SAndroid Build Coastguard Worker - --tls-earlydata $URL 15*6236dae4SAndroid Build Coastguard Worker--- 16*6236dae4SAndroid Build Coastguard Worker 17*6236dae4SAndroid Build Coastguard Worker# `--tls-earlydata` 18*6236dae4SAndroid Build Coastguard Worker 19*6236dae4SAndroid Build Coastguard WorkerEnable the use of TLSv1.3 early data, also known as '0RTT' where possible. 20*6236dae4SAndroid Build Coastguard WorkerThis has security implications for the requests sent that way. 21*6236dae4SAndroid Build Coastguard Worker 22*6236dae4SAndroid Build Coastguard WorkerThis option is used when curl is built to use GnuTLS. 23*6236dae4SAndroid Build Coastguard Worker 24*6236dae4SAndroid Build Coastguard WorkerIf a server supports this TLSv1.3 feature, and to what extent, is announced 25*6236dae4SAndroid Build Coastguard Workeras part of the TLS "session" sent back to curl. Until curl has seen such 26*6236dae4SAndroid Build Coastguard Workera session in a previous request, early data cannot be used. 27*6236dae4SAndroid Build Coastguard Worker 28*6236dae4SAndroid Build Coastguard WorkerWhen a new connection is initiated with a known TLSv1.3 session, and that 29*6236dae4SAndroid Build Coastguard Workersession announced early data support, the first request on this connection is 30*6236dae4SAndroid Build Coastguard Workersent *before* the TLS handshake is complete. While the early data is also 31*6236dae4SAndroid Build Coastguard Workerencrypted, it is not protected against replays. An attacker can send 32*6236dae4SAndroid Build Coastguard Workeryour early data to the server again and the server would accept it. 33*6236dae4SAndroid Build Coastguard Worker 34*6236dae4SAndroid Build Coastguard WorkerIf your request contacts a public server and only retrieves a file, there 35*6236dae4SAndroid Build Coastguard Workermay be no harm in that. If the first request orders a refrigerator 36*6236dae4SAndroid Build Coastguard Workerfor you, it is probably not a good idea to use early data for it. curl 37*6236dae4SAndroid Build Coastguard Workercannot deduce what the security implications of your requests actually 38*6236dae4SAndroid Build Coastguard Workerare and make this decision for you. 39*6236dae4SAndroid Build Coastguard Worker 40*6236dae4SAndroid Build Coastguard Worker**WARNING**: this option has security implications. See above for more 41*6236dae4SAndroid Build Coastguard Workerdetails. 42