[erlang-questions] SSL behavior!?

Dmitry Kolesnikov dmkolesnikov@REDACTED
Thu Aug 16 16:24:34 CEST 2012


Hello,

Thanks a lot for explanation!

Regards, Dmitry

On Aug 16, 2012, at 10:04 AM, Ingela Andin wrote:

> Hi!
> 
> This behaviour is a security counter measure, 1/n-1 splitting
> countermeasure Rizzo/Duong-Beast, RC4 chiphers are not vulnerable to
> this attack so if you use an RC4-cipher suite it will not happen but
> for the other cipher suites you will have to live with it until
> TLS-1.1 is supported.
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> 2012/8/16, dmitry kolesnikov <dmkolesnikov@REDACTED>:
>> Hello,
>> 
>> Yes for sure, you have to deal with IP fragmentation. But, like I said
>> in my post fragmentation happens on SSL level, two distinguished "App
>> Data" frames where generated and those frames were put into single
>> packet.
>> 
>> I would not raise an issue if I would observe a fragmentation on large
>> dataset but for 16 byte packet looks suspicious for me, especially of
>> first fragment is one byte... I've not seen that issue on R14, it pops
>> up when I jumped to R15 and made slight adjustments my code.
>> 
>> 
>> Best Regards,
>> Dmitry >-|-|-*>
>> 
>> 
>> On 15.8.2012, at 23.38, "Loïc Hoguin" <essen@REDACTED> wrote:
>> 
>>> Hey,
>>> 
>>> The same can happen for gen_tcp. You can't assume what you are sending
>>> isn't going to be fragmented when you receive it, packets have a size
>>> limit (MTU). You need to either know how much data you are waiting for,
>>> or try to parse it to validate it got received fully before processing
>>> it.
>>> 
>>> On 08/15/2012 09:50 PM, Dmitry Kolesnikov wrote:
>>>> Hello,
>>>> 
>>>> I am experience very wired behavior with SSL in R15... So, I do have both
>>>> client & server implemented on erlang, using ssl in active mode.
>>>> 
>>>> The implementation is straight forward it
>>>> 
>>>> Client-side:
>>>> {ok, Tcp} = gen_tcp:connect(Host, Port, ?SOCK_OPTS, T),
>>>> {ok, Ssl}  = ssl:connect(Tcp,  []),
>>>> 
>>>> Server-side:
>>>>   {ok, LSock} = ssl:listen(Port, [
>>>>          {ip, IP},
>>>>       {certfile, Cert},
>>>>       {keyfile,  Key},
>>>>       {reuseaddr, true} | ?SOCK_OPTS
>>>>   ]),
>>>>   ...
>>>>   {ok, Sock} = ssl:transport_accept(LSock),
>>>>   ok = ssl:ssl_accept(Sock),
>>>> 
>>>> 
>>>> -define(SOCK_OPTS, [
>>>>   {active, once},
>>>>   {mode, binary},
>>>>   {nodelay, true},  %% BTW, if I drop nodelay or put it to false, same
>>>> issue
>>>>   {recbuf, 16 * 1024},
>>>>   {sndbuf, 16 * 1024}
>>>> ]).
>>>> 
>>>> 
>>>> My issue is that client send data, the data got fragmented into multiple
>>>> "Application Data" messages. I've been validating it by sniffing the
>>>> traffic. I cannot get idea why this happens...
>>>> 
>>>> Client log:
>>>> 22:34:54.948 [info] ssl connected {{127,0,0,1},8443}, local addr
>>>> {{127,0,0,1},53804}, suite {tlsv1,{dhe_rsa,aes_256_cbc,sha}}
>>>> 22:34:54.948 [debug] ssl send {{127,0,0,1},8443} <<"0123456789abcdef">>
>>>> 
>>>> Server log:
>>>> 22:34:54.948 [info] ssl accepted {{127,0,0,1},53804}, local addr
>>>> {{127,0,0,1},8443}, suite {tlsv1,{dhe_rsa,aes_256_cbc,sha}}
>>>> 22:34:54.949 [debug] ssl recv {{127,0,0,1},53804} <<"0">>
>>>> 22:34:54.949 [debug] ssl recv {{127,0,0,1},53804} <<"123456789abcdef">>
>>>> 
>>>> thanks in advanced,
>>>> Best Regards, Dmitry
>>>> 
>>>> 
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>> 
>>> 
>>> 
>>> --
>>> Loïc Hoguin
>>> Erlang Cowboy
>>> Nine Nines
>>> http://ninenines.eu
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>> 




More information about the erlang-questions mailing list