
Deploying TLS 1.3: the great, the good and the bad [video] - jgrahamc
https://media.ccc.de/v/33c3-8348-deploying_tls_1_3_the_great_the_good_and_the_bad
======
FiloSottile
Hi, co-speaker here.

Please feel free to ask any questions you have here, or by emailing tls13 at
cloudflare.

The slide deck is at
[https://speakerdeck.com/filosottile/tls-1-dot-3-at-33c3](https://speakerdeck.com/filosottile/tls-1-dot-3-at-33c3)
(but it's not really made for standalone consumption).

~~~
kpcyrd
Do you know of 0-RTT implementation efforts on reverse proxies, say, nginx?

Let's say I run a static website and I'm 100% sure unauthenticated GET won't
break anything, is there anything special I need to do or is it going to be
"enable this flag"?

Another question: Can I set 0-RTT per vhost (sni) or do I need dedicated 0-RTT
IPs?

~~~
FiloSottile
There is no 0-RTT implementation in servers that I know of, except our
internal one at Cloudflare, which currently waits for the Finished
confirmation until we decide on a policy.

The following two questions are of course implementation-specific, but there
is nothing in the protocol blocking a "just do 0-RTT" flag or vhost configs.

------
FullyFunctional
I'm a bit late, but it was a great talk and TLS 1.3 is looking nice.

I'm not sure who was the first to propose 0-RTT like this, but it appears that
both MinimaLT and QUIC did at about the same time.

TLS 1.3 does nothing to improve TCP deficiencies, but there are alternatives
that does, including QUIC. What I can't quite tell is how the the two combine,
if at all. Does a QUIC connection mean that TLS 1.3 doesn't apply/is
redundant?

