<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">We've discovered that the SSL/TLS application in Erlang assumes a max</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">plaintext size of 2^14 (16384) bytes.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">We're communicating with an embedded device that, due to constrained</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">resources, can't handle plaintext fragments larger than ~2Kb.</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">In OpenSSL, the maximum plaintext fragment size can be configured by</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">using the (barely documented) SSL_CTRL_SET_MAX_SEND_FRAGMENT control.</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">We're converting our back-end server to Erlang, and we'd like to be</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">able to do the same from Erlang.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I asked about this here: </span><a href="http://stackoverflow.com/q/19276598/8446" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://stackoverflow.com/q/19276598/8446</a><span style="font-family:arial,sans-serif;font-size:13px">,</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">where it was also suggested that we look at implementing the relevant</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">section of RFC 6066, which defines a mechanism for negotiating this</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">parameter. We've discarded that option because (a) RFC 6066 only</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">allows for a limited set of values for this parameter; and (b) our</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">embedded device currently only supports TLS 1.1, and RFC 6066 is an</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">extension to TLS 1.2.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I have a </span><span class="" style="background-color:rgb(255,255,204);font-family:arial,sans-serif;font-size:13px">patch</span><span style="font-family:arial,sans-serif;font-size:13px"> that implements this functionality, from the server</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">side, at least:</span><br style="font-family:arial,sans-serif;font-size:13px"><a href="https://github.com/rlipscombe/otp/tree/rl-ssl-fragment-size" target="_blank" style="font-family:arial,sans-serif;font-size:13px">https://github.com/rlipscombe/otp/tree/rl-ssl-fragment-size</a><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">To use this feature, simply specify {max_plain_text_length, N} in the</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Options passed to ssl:listen/2, as follows:</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> {ok, LSock} = ssl:listen(17120,</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> [{max_plain_text_length, 2000}, {certfile, "server.crt"},</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">{keyfile, "server.key"}]).</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">If you don't specify the option, it defaults to 2^14.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I've tested this with Wireshark, and can clearly see that the SSL</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">message is broken into roughly 2Kb-sized fragments (allowing for some</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">overhead).</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I'd like to:</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">(a) get some comments on how it can be improved.</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">(b) see if I can shepherd this </span><span class="" style="background-color:rgb(255,255,204);font-family:arial,sans-serif;font-size:13px">patch</span><span style="font-family:arial,sans-serif;font-size:13px"> upstream into a future release of</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Erlang/OTP.</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Things I am aware of:</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">- Too many magic numbers. I attempted to put these values in</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">ssl_record.hrl, but then discovered that not everything that needed</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">the magic number included this file. In particular, I ended up needing</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">it in ssl_internal.hrl. I'd appreciate suggestions for where the</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">definitions of the magic numbers and types ought to go.</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">- No documentation. I'm happy to add to the relevant docs as appropriate.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I'd appreciate advice on how to proceed from here.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Thanks,</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Roger.</span><br>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div>