Head check on SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option
The SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option only affects how the OUTBOUND (i.e. SSL_write) records are split (or not), correct? It doesn't define any behavior for how the INBOUND records (i.e. SSL_read) should be split (or not), correct? So, it's possible that different sides of an SSL connection could be splitting (or not) the records different ways. For example, suppose the client does NOT have the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option set, but the server does. In this scenario the records coming from the client going to the server would be split and contain empty fragments, but the records coming from the server going to the client would NOT contain empty fragments. Is that correct? Thank you.
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option...
Hi, The client is configured with SSLv3_client_method. *ctx = SSL_CTX_new(SSLv3_client_method());* Whenever the client tries to connect to server with any CBC ciphers like DES-CBC3-SHA, the SSL handshake is successful but when the client tries to send data to server,say 10 bytes, I see from ethereal that two application records are sent. But the server does not report reading that data. With cipher RC4-MD5, this is not seen. 10 bytes are sent in one application record and server reports the receiving of that particular data. Now when I set the *SSL_CTX_set_options* with*SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS *(or SSL_OP_ALL), data exchange with CBC ciphers are successful. What is happening here? Can someone please explain the theory behind *SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS *option? Thanks, Prabhu. S
Re: SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option...
Prabhu S wrote: Hi, The client is configured with SSLv3_client_method. *ctx = SSL_CTX_new(SSLv3_client_method());* Whenever the client tries to connect to server with any CBC ciphers like DES-CBC3-SHA, the SSL handshake is successful but when the client tries to send data to server,say 10 bytes, I see from ethereal that two application records are sent. But the server does not report reading that data. With cipher RC4-MD5, this is not seen. 10 bytes are sent in one application record and server reports the receiving of that particular data. Now when I set the *SSL_CTX_set_options* with* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS *(or SSL_OP_ALL), data exchange with CBC ciphers are successful. It's isn't exactly unsuccessful with the empty fragments. (They only apply for block ciphers, so you don't have it with RC4). What is happening here? Can someone please explain the theory behind *SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS *option? See http://www.openssl.org/~bodo/tls-cbc.txt -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
