subject:"\[openssl\-users\] TLS Heartbeat"

Re: [openssl-users] TLS Heartbeat

2016-12-12 Thread Salz, Rich


> Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in
> idle connections.

Use TCP keepalive if really needed.  That keeps your application level free to 
reap truly idle connections if/when it wants to.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-11 Thread Rasool, Kaja Mohideen (Nokia - IN)

Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in idle 
connections.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Michael Wojcik
Sent: Monday, December 12, 2016 12:19 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] TLS Heartbeat

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that 
disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who 
couldn't take the time to learn how TCP works. But then given the OP's 
description of the original problem, disabling the Nagle algorithm is likely 
not the most egregious design decision here. I'll echo Rich's sentiment: If 
you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission 
for up to 200ms. The OP didn't provide any actual useful information about what 
the "problem" is, so we don't know whether the heartbeats would have been 
transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window 
advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-11 Thread Michael Wojcik

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that 
disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who 
couldn't take the time to learn how TCP works. But then given the OP's 
description of the original problem, disabling the Nagle algorithm is likely 
not the most egregious design decision here. I'll echo Rich's sentiment: If 
you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission 
for up to 200ms. The OP didn't provide any actual useful information about what 
the "problem" is, so we don't know whether the heartbeats would have been 
transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window 
advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Jeffrey Walton

On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN)
 wrote:
> Ok, maybe, TCP is doing it. Is there any other API using which I can specify
> the payload length & number of bytes for padding to send a TLS Heartbeat
> request? Then, I can use that API to send out a big enough heartbeat request
> so my server recognize & responds to it.

Maybe related, see
https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/.
It shows how to measure and adjust for some throughput improvements.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Kyle Hamilton

disable O_NAGLE on the socket?

-Kyle H

On Sat, Dec 10, 2016 at 8:04 AM, Salz, Rich  wrote:

> Heartbeats?  Yuk, why.
>
>
>
> Most likely, TCP is buffering things until you get a big enough data
> packet.   I don’t know how to address that.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Rasool, Kaja Mohideen (Nokia - IN)

Ok, maybe, TCP is doing it. Is there any other API using which I can specify 
the payload length & number of bytes for padding to send a TLS Heartbeat 
request? Then, I can use that API to send out a big enough heartbeat request so 
my server recognize & responds to it.

// Kaja

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich
Sent: Saturday, December 10, 2016 9:35 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] TLS Heartbeat

Heartbeats?  Yuk, why.

Most likely, TCP is buffering things until you get a big enough data packet.   
I don't know how to address that.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

2016-12-10 Thread Salz, Rich

Heartbeats?  Yuk, why.

Most likely, TCP is buffering things until you get a big enough data packet.   
I don’t know how to address that.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] TLS Heartbeat

2016-12-10 Thread Rasool, Kaja Mohideen (Nokia - IN)

Hi,

I'm trying to develop a server (Java - Netty NIO Library + OpenSSL) / client (C 
+ OpenSSL) applications.

A. I started off writing my server using Netty+OpenSSL and used some python 
scripts available in web (https://gist.github.com/takeshixx/10107280) to test 
whether TLS Heartbeat with OpenSSL is fine. Strangely I found that OpenSSL 
responds to heartbeat only if the length of TLSPlainText.length is greater than 
4096. This I have observed from testing, yet to see the OpenSSL code which 
imposes this limitation.

B. Then I started to write my client that uses SSL_heartbeat macro - but I 
didn't find any way to mention how much payload/padding to be used in the 
heartbeat message.

I need clarity on


1.   Whether the limitation observed in (A) above is correct? If so, is 
there any way to change it.

2.   How to provide inputs like payload/padding to be used to work-around 
the limitation (A) ?

Many thanks in advance,

With regards,
R Kaja Mohideen

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

Re: [openssl-users] TLS Heartbeat

[openssl-users] TLS Heartbeat

8 matches

Site Navigation

Mail list logo

Footer information