On Wed, 15 Aug 2018 17:17:48 +0300 Konstantinos Schoinas <ece8...@upnet.gr> wrote:
> Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε: > > -------- Αρχικό μήνυμα -------- > > Θέμα: Sequence Number > > Ημερομηνία: 2018-08-15 12:21 > > Αποστολέας: Konstantinos Schoinas <ece8...@upnet.gr> > > Παραλήπτης: users <users-boun...@dpdk.org> > > > > Hello, > > > > I am building an application blocks TLS session if i find a sepcific > > forbidden Server Name Indication. > > According to RFC i must make a response with Fatal Error (2) > > unrecognized name(112). > > > > When i receive the Client Hello and after i Extract the SNI and check > > it against a black list i do process the client hello in order to > > response to client and terminate the session. > > > > Although i am getting a lot of retransmit packets on wireshark so i > > suppose i am doing something wrong. > > > > I think i mights have seq and ack number wrong or something.If anyone > > could help i would appreciate. > > Here is the process of the packet after i check for the forbidden SNI: > > > > uint32_t client_receive_ack = ntohl(th->recv_ack); > > uint32_t client_send_seq = ntohl(th->sent_seq); > > > > th->sent_seq = th->recv_ack; > > th->recv_ack = htonl(client_send_seq + ntohs(iphdr->total_length)); > > > > > > uint16_t l = ntohs(ssl->length)-0x02; > > uint16_t ip_l = ntohs(iphdr->total_length) - l; > > > > rte_pktmbuf_trim(m,l); > > iphdr->total_length = htons(ip_l); > > ssl->length = htons(2); > > > > alert = (struct Alert *)((uint8_t *)ssl + 5); > > > > > > iphdr->src_addr = dst_ip; > > iphdr->dst_addr = src_ip; > > th->src_port = dst_port; > > th->dst_port = src_port; > > ssl->type = 21; //alert message > > alert->type = 2; // fatal error > > alert->description = 112; // Unrecognized name > > > > iphdr->hdr_checksum = 0; > > th->cksum = 0; > > iphdr->hdr_checksum = rte_ipv4_cksum(iphdr); > > > > th->cksum = rte_ipv4_udptcp_cksum(iphdr,th); > > > > > > > > > > Thanks for your time > > > > > I wanted to give some more information on the subject.I am adding a > picture of wireshark with the mail to give more info.The problem of the > retransmitted packet is that it doesnt end the TLS session even though i > am sending a fatal-error alert with dpdk. > > I believe that i do something wrong with the process of client hello so > it doesnt have the right format in order to get recognized by the client > and end the tls Session. > > If you see my code above i change the source ,dest ip and port the seq > and ack value.In addition i am cutting from SSL Record the data that it > had and i am adding the alert message according to RFC. > > Is there any field i must change according to dpdk? > > > > With wireshark, the easiest thing to attach is a pcap file with the flow in question.