ok. That sounds good. But, what I'm seeing is that the SSL client hangs when the message size is more than 16KB. Do I need to break this large message up in smaller chunks or can I use SSL_write to send the whole message in one shot?
Thanks. Animesh On Fri, May 15, 2009 at 3:50 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > No matter what you do, the "maximum fragment length" -- the MTU -- is > going to break all of your communications down into smaller packets. > > TLS, in its basic form, is designed to be as close as possible to a > replacement for read() and write() -- you read from the connection, > you write to the connection. It doesn't matter if there are multiple > 'TLS records' in between -- that's all handled by the protocol, and > each record adds a relatively miniscule overhead to the stream. > > Due to how the protocol works (please see RFC 4346 for TLS 1.1 and RFC > 2426 for TLS 1.0), the specification says 2^14 is the maximum size of > a fragment, which is 16KB. (Note that this 16KB must also include the > HMAC.) It can be reduced by the extension introduced in RFC 3546 > (maximum fragment length notification), but it can never be raised. > The application writes data to the TLS layer, the TLS layer encodes it > in a standard way such that the other end can decode it, and the other > end presents the data to its application layer without regard for how > the TLS protocol broke it out. > > Basically: Build your application without regard for the size of the > data you need to send. The TLS layer's contract is that it will, in > the ideal case of no active attack, get the data you send to the > remote side in a way that the remote side can handle. > > (If you were contracting UPS to deliver a package, you wouldn't tell > them how to do their job... why are you trying to tell TLS, which is > what you're contracting with, how to do its job?) > > -Kyle H > > On Thu, May 14, 2009 at 2:52 PM, Animesh Chowdhury > <animesh.chowdh...@gmail.com> wrote: > > Hi, > > I've run into an problem where the data that I need to send to the client > is > > more than 16KB. How do I set up the session so that I can do the maximum > > fragment length negotiation ? > > Any example code related to this will be extremely helpful. > > I'm using openssl0.9.8j . > > Also if someone can tell me since which release openssl supports this TLS > > extension that'll be great. > > Much appreciated. > > Thanks. > > Animesh > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- "We stand by your parents" - Visit www.nriparentalcare.com for more details. For your international travel needs visit www.gangestravels.com
