Skip to content

CONCEPT Cited by 2 sources

TLS 1.3 0-RTT handshake

TLS 1.3 0-RTT handshake is the TLS 1.3 extension that lets a client resume an established TLS session without a round trip — sending application data in the very first flight of bytes ("early data") if the server has a usable pre-shared key (PSK) from a prior session. On a cold-start new connection it shaves one full RTT off every reconnection compared to TLS 1.2's full-handshake resumption.

Why it matters on this wiki

In database-access contexts — especially serverless / edge runtimes that can't hold long-lived connections — every "connection" is effectively cold. Per-request latency budgets are dominated by the handshake stack:

  1. TCP 3-way handshake (1 RTT)
  2. TLS handshake (1 RTT for TLS 1.3 full; 0 RTT for TLS 1.3 resumed; 2 RTTs for TLS 1.2 full)
  3. MySQL authentication handshake (1-2 RTTs)
  4. Query round trip (1 RTT)

Swapping TLS 1.2 for TLS 1.3 with 0-RTT resumption removes an entire round trip from this stack. On a high-latency link (coast-to-coast US, ~70 ms RTT), that's a ~70 ms reduction per connection — directly visible in cold-start benchmarks.

Canonical statement

PlanetScale, 2022-08-18: "a modern TLS stack for faster connections with TLS 1.3." (Source: sources/2026-04-21-planetscale-introducing-the-planetscale-serverless-driver-for-javascript.)

PlanetScale, 2023-01-04: "While, in theory, MySQL clients could also support TLS 1.3, TLS support in clients is typically not great and, in this case, negotiated with TLS 1.2." (Source: sources/2026-04-21-planetscale-faster-mysql-with-http3.)

The practical corollary: HTTP clients get TLS 1.3 for free because the HTTP ecosystem moved there years ago; MySQL binary-protocol clients typically stay on TLS 1.2 even when the server supports 1.3, simply because the client library's TLS path hasn't been updated.

The 0-RTT data flow

First connection (no prior session):

Client                                Server
  |-- ClientHello + key_share  ------>|
  |<---- ServerHello + key_share -----|
  |<---- {EncryptedExtensions} -------|
  |<---- {Certificate} + {Finished} --|
  |---- {Finished} ------------------>|
  |---- [Application Data] ---------->|

One round trip. Data flows on the second flight from the client.

Resumed connection (0-RTT with PSK from prior session):

Client                                Server
  |-- ClientHello + PSK + early_data >|
  |  + [Application Data in early 0RTT]
  |<---- ServerHello + Finished ------|
  |<---- [Application Data reply] ----|

Zero round trips before application data. The first flight from the client already contains the first query.

Constraints of 0-RTT

  • Replay risk: early-data bytes can be replayed by an on-path attacker against the same PSK. Protocol rules forbid non-idempotent operations in early data. Most database HTTP APIs treat early-data replay as a correctness hazard and disable 0-RTT for write queries, keeping it on only for idempotent reads.
  • PSK lifetime: PSKs have a limited TTL; long gaps between connections fall back to the 1-RTT path.
  • Server-side session cache: server needs to remember the PSK. Stateless resumption via encrypted tickets is the deployed norm.

Interaction with HTTP/3

HTTP/3 requires TLS 1.3 (no HTTP/3 over older TLS). QUIC's connection establishment fuses the TLS 1.3 handshake with the transport-level cryptographic key establishment, making the 0-RTT path a first-class transport feature rather than an application-layer optimisation (concepts/http-3).

Contrast with MySQL binary protocol's TLS layering

The MySQL protocol wraps TLS inside the server-directed capability negotiation — the client first speaks a plaintext HandshakeV10 packet, receives server capabilities, then upgrades to TLS via the SSL_REQUEST packet. This adds a plaintext round trip before TLS can even start and forces a "legacy TLS on top of legacy handshake" deployment path that's been the main obstacle to client TLS 1.3 adoption. HTTP puts TLS on the bottom layer; MySQL puts it in the middle.

Seen in

Last updated · 378 distilled / 1,213 read