Re: [openssl-users] TLS Heartbeat
> Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in > idle connections. Use TCP keepalive if really needed. That keeps your application level free to reap truly idle connections if/when it wants to. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in idle connections. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 12, 2016 12:19 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] TLS Heartbeat > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Kyle Hamilton > Sent: Sunday, December 11, 2016 02:29 > To: openssl-users > Subject: Re: [openssl-users] TLS Heartbeat > > disable O_NAGLE on the socket? Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that disables the Nagle algorithm. Using it is generally a sign of poorly-written software, created by someone who couldn't take the time to learn how TCP works. But then given the OP's description of the original problem, disabling the Nagle algorithm is likely not the most egregious design decision here. I'll echo Rich's sentiment: If you're using TLS heartbeat, You're Doing It Wrong. Also, note that Nagle / Delayed ACK interaction should only delay transmission for up to 200ms. The OP didn't provide any actual useful information about what the "problem" is, so we don't know whether the heartbeats would have been transmitted after 200ms. If they're not being transmitted for some other reason (e.g. receive window advertised as closed), then disabling Nagle won't make any difference. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Kyle Hamilton > Sent: Sunday, December 11, 2016 02:29 > To: openssl-users > Subject: Re: [openssl-users] TLS Heartbeat > > disable O_NAGLE on the socket? Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that disables the Nagle algorithm. Using it is generally a sign of poorly-written software, created by someone who couldn't take the time to learn how TCP works. But then given the OP's description of the original problem, disabling the Nagle algorithm is likely not the most egregious design decision here. I'll echo Rich's sentiment: If you're using TLS heartbeat, You're Doing It Wrong. Also, note that Nagle / Delayed ACK interaction should only delay transmission for up to 200ms. The OP didn't provide any actual useful information about what the "problem" is, so we don't know whether the heartbeats would have been transmitted after 200ms. If they're not being transmitted for some other reason (e.g. receive window advertised as closed), then disabling Nagle won't make any difference. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN)wrote: > Ok, maybe, TCP is doing it. Is there any other API using which I can specify > the payload length & number of bytes for padding to send a TLS Heartbeat > request? Then, I can use that API to send out a big enough heartbeat request > so my server recognize & responds to it. Maybe related, see https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/. It shows how to measure and adjust for some throughput improvements. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
disable O_NAGLE on the socket? -Kyle H On Sat, Dec 10, 2016 at 8:04 AM, Salz, Richwrote: > Heartbeats? Yuk, why. > > > > Most likely, TCP is buffering things until you get a big enough data > packet. I don’t know how to address that. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
Ok, maybe, TCP is doing it. Is there any other API using which I can specify the payload length & number of bytes for padding to send a TLS Heartbeat request? Then, I can use that API to send out a big enough heartbeat request so my server recognize & responds to it. // Kaja From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Salz, Rich Sent: Saturday, December 10, 2016 9:35 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] TLS Heartbeat Heartbeats? Yuk, why. Most likely, TCP is buffering things until you get a big enough data packet. I don't know how to address that. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS Heartbeat
Heartbeats? Yuk, why. Most likely, TCP is buffering things until you get a big enough data packet. I don’t know how to address that. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] TLS Heartbeat
Hi, I'm trying to develop a server (Java - Netty NIO Library + OpenSSL) / client (C + OpenSSL) applications. A. I started off writing my server using Netty+OpenSSL and used some python scripts available in web (https://gist.github.com/takeshixx/10107280) to test whether TLS Heartbeat with OpenSSL is fine. Strangely I found that OpenSSL responds to heartbeat only if the length of TLSPlainText.length is greater than 4096. This I have observed from testing, yet to see the OpenSSL code which imposes this limitation. B. Then I started to write my client that uses SSL_heartbeat macro - but I didn't find any way to mention how much payload/padding to be used in the heartbeat message. I need clarity on 1. Whether the limitation observed in (A) above is correct? If so, is there any way to change it. 2. How to provide inputs like payload/padding to be used to work-around the limitation (A) ? Many thanks in advance, With regards, R Kaja Mohideen -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users