On Tue, Aug 15, 2017 at 2:17 PM, Daniel Lenski <dlen...@gmail.com> wrote: > On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dw...@infradead.org> >> So > from wire packet MTU, subtract headers and MAC and IV, round *down* >> to a multiple of blocksize, subtract one byte for the *minimal* >> padding, and that's the largest payload you can carry. > > Aha, thanks, I'll look at dtls_get_data_mtu() and try to get this exactly > right.
I've got a patch to do exactly what you described for the ESP-based MTU. As long as I'm on this, however, many GP users are unable to use ESP (firewalls, misconfiguration, etc.). So when ESP is not in use, I think I should set the MTU using the TCP MSS… but then I'd have to account for the *TLS* overhead. Does GnuTLS have a library function to compute the maximums-size TLS application record that can fit in a single TCP segment? I couldn't find anything. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel