TLS False Start : Exactly How to Get With Nginx

Through the previous articles we discussed about some basic topics related to optimizing HTTP/2. TLS False Start on Nginx Appears Black Magic to Many New Server Admins. Here is How to Exactly How to Get it With Nginx in Easy Language. TLS False Start is possibly one of the worstly described phrase around optimizations.

What This TLS False Start is?

TLS False Start is nothing new. Transport Layer Security (TLS) False Start is described officially on IETF’s webpage. whether WikiPedia copy-pasted the topic or not does not matter :

In short, this is written –

This document specifies an optional behavior of Transport Layer Security (TLS) client implementations, dubbed “False Start”. It affects only protocol timing, not on-the-wire protocol data, and can be implemented unilaterally. A TLS False Start reduces handshake latency to one round trip. This document is not an Internet Standards Track specification; it is published for informational purposes.

Can You Make TLS False Start More Clear?

HTTPS optimization has 3 basic points:

1. Using less network traffic to and from
2. Faster encryption and decryption calculation
3. Small network latency

The TLS False Start function precisely works by reducing RT (Round Trip). First, we need to look at HTTP and HTTPS traffic comparison. In the most unsatisfactory condition, a normal HTTP arrival of TTFB (Time To First Byte) to go through the following procedure :

1. DNS query
2. TCP handshake
3. At least one HTTP request and response RT

We assume that RTT between the browser and the server is 50ms, where we would not consider the DNS, so in this assumption, HTTP reach TTFB need 100ms. If we look at HTTPS process, compared to HTTP, HTTPS two more RTT is used to negotiate a TLS tunnel (ignore OCSP), also does not consider the DNS, under this assumption, HTTPS needs 200ms to reach the TTTFB. As you can see, HTTP vs HTTPS communication time is exactly twice.

If we can reduce the HTTPS RT communication process, the time from 200ms will drop to 150ms. TLS False Start is a Google proposed optimization method, the approach is in the TLS negotiation’s second stage, after the browser checks Cipher, immediately it sends the encrypted application layer data, without waiting for confirmation on the server side.

Microsoft has bigger lecture on the topic :

TLS False Start : Exactly How to Get With Nginx

TLS False Start need to open the browser and the server at the same time to meet the conditions. Chrome and Firefox needs to support NPN / ALPN, and server-side support for the Forward Secrecy; Safari supports it from OS X 10.9. For Nginx as an example here, in fact :

Along with cipher suite, NPN (possibly better to think about ALPN), automatically opens it up. We need to enable ALPN, which in practice means that we need to use Ubuntu 16.04 over Ubuntu 14.04.