I think from the point of view of both interoperability and security, the
original empty-fragment approach is best when a cipher using 8-byte blocks
has been negotiated (usually 3DES), while 1 / n-1 splitting is better for
interoperability and fully adequate for large block sizes (AES).
On Sun, 2012-04-15 at 16:45 +0200, Andy Polyakov via RT wrote:
Here is an experimental patch I wrote that implements the 1/n-1
record splitting technique for OpenSSL. I am sending it here for
consideration by OpenSSL upstream developers.
By default the 0/n split is used but in case
Here is an experimental patch I wrote that implements the 1/n-1
record splitting technique for OpenSSL. I am sending it here for
consideration by OpenSSL upstream developers.
By default the 0/n split is used but in case the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag is set, we split the first
On Mon, 2012-04-16 at 11:49 +0200, Andy Polyakov via RT wrote:
Here is an experimental patch I wrote that implements the 1/n-1
record splitting technique for OpenSSL. I am sending it here for
consideration by OpenSSL upstream developers.
By default the 0/n split is used but in case
On Mon, Oct 31, 2011 at 05:56:53PM +0100, Tomas Mraz via RT wrote:
By default the 0/n split is used but in case the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag is set, we split the first
record with 1/n-1.
There are terminators that also have a problem with this 1/n-1
splitting. You might want to
Here is an experimental patch I wrote that implements the 1/n-1
record splitting technique for OpenSSL. I am sending it here for
consideration by OpenSSL upstream developers.
By default the 0/n split is used but in case the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag is set, we split the first
Here is an experimental patch I wrote that implements the 1/n-1
record splitting technique for OpenSSL. I am sending it here for
consideration by OpenSSL upstream developers.
By default the 0/n split is used but in case the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag is set, we split the first
record
On Wed, 2011-10-05 at 14:31 -0700, no_spam...@yahoo.com wrote:
Are there plans for OpenSSL to adopt the 1/n-1 record splitting
technique (credit Xuelei Fan) that the browsers appear to be using to
mitigate the BEAST attack?
I realize that OpenSSL currently contains a different mitigation
Are there plans for OpenSSL to adopt the 1/n-1 record splitting technique
(credit Xuelei Fan) that the browsers appear to be using to mitigate the BEAST
attack?
I realize that OpenSSL currently contains a different mitigation technique
(sending empty fragments). Evidently there are broken
