SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is used to thwart some CBC attacks. check out this link for details
http://www.openssl.org/~bodo/tls-cbc.txt Thanks --Gayathri > Hi, > > The client is configured with SSLv3_client_method. > > *ctx = SSL_CTX_new(SSLv3_client_method());* > > Whenever the client tries to connect to server with any CBC ciphers like > DES-CBC3-SHA, the SSL handshake is successful but when the > client tries to send data to server,say 10 bytes, I see from ethereal that > two application records are sent. But the server does not report reading > that data. With cipher RC4-MD5, this is not seen. 10 bytes are sent in one > application record and server reports the receiving of that particular > data. > > Now when I set the *SSL_CTX_set_options* > with*SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS > *(or SSL_OP_ALL), data exchange with CBC ciphers are successful. > > What is happening here? Can someone please explain the theory behind > *SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS > *option? > > Thanks, > Prabhu. S >
