[erlang-questions] SSL behavior!?
Dmitry Kolesnikov
dmkolesnikov@REDACTED
Thu Aug 16 16:24:34 CEST 2012
Hello,
Thanks a lot for explanation!
Regards, Dmitry
On Aug 16, 2012, at 10:04 AM, Ingela Andin wrote:
> Hi!
>
> This behaviour is a security counter measure, 1/n-1 splitting
> countermeasure Rizzo/Duong-Beast, RC4 chiphers are not vulnerable to
> this attack so if you use an RC4-cipher suite it will not happen but
> for the other cipher suites you will have to live with it until
> TLS-1.1 is supported.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
> 2012/8/16, dmitry kolesnikov <dmkolesnikov@REDACTED>:
>> Hello,
>>
>> Yes for sure, you have to deal with IP fragmentation. But, like I said
>> in my post fragmentation happens on SSL level, two distinguished "App
>> Data" frames where generated and those frames were put into single
>> packet.
>>
>> I would not raise an issue if I would observe a fragmentation on large
>> dataset but for 16 byte packet looks suspicious for me, especially of
>> first fragment is one byte... I've not seen that issue on R14, it pops
>> up when I jumped to R15 and made slight adjustments my code.
>>
>>
>> Best Regards,
>> Dmitry >-|-|-*>
>>
>>
>> On 15.8.2012, at 23.38, "Loïc Hoguin" <essen@REDACTED> wrote:
>>
>>> Hey,
>>>
>>> The same can happen for gen_tcp. You can't assume what you are sending
>>> isn't going to be fragmented when you receive it, packets have a size
>>> limit (MTU). You need to either know how much data you are waiting for,
>>> or try to parse it to validate it got received fully before processing
>>> it.
>>>
>>> On 08/15/2012 09:50 PM, Dmitry Kolesnikov wrote:
>>>> Hello,
>>>>
>>>> I am experience very wired behavior with SSL in R15... So, I do have both
>>>> client & server implemented on erlang, using ssl in active mode.
>>>>
>>>> The implementation is straight forward it
>>>>
>>>> Client-side:
>>>> {ok, Tcp} = gen_tcp:connect(Host, Port, ?SOCK_OPTS, T),
>>>> {ok, Ssl} = ssl:connect(Tcp, []),
>>>>
>>>> Server-side:
>>>> {ok, LSock} = ssl:listen(Port, [
>>>> {ip, IP},
>>>> {certfile, Cert},
>>>> {keyfile, Key},
>>>> {reuseaddr, true} | ?SOCK_OPTS
>>>> ]),
>>>> ...
>>>> {ok, Sock} = ssl:transport_accept(LSock),
>>>> ok = ssl:ssl_accept(Sock),
>>>>
>>>>
>>>> -define(SOCK_OPTS, [
>>>> {active, once},
>>>> {mode, binary},
>>>> {nodelay, true}, %% BTW, if I drop nodelay or put it to false, same
>>>> issue
>>>> {recbuf, 16 * 1024},
>>>> {sndbuf, 16 * 1024}
>>>> ]).
>>>>
>>>>
>>>> My issue is that client send data, the data got fragmented into multiple
>>>> "Application Data" messages. I've been validating it by sniffing the
>>>> traffic. I cannot get idea why this happens...
>>>>
>>>> Client log:
>>>> 22:34:54.948 [info] ssl connected {{127,0,0,1},8443}, local addr
>>>> {{127,0,0,1},53804}, suite {tlsv1,{dhe_rsa,aes_256_cbc,sha}}
>>>> 22:34:54.948 [debug] ssl send {{127,0,0,1},8443} <<"0123456789abcdef">>
>>>>
>>>> Server log:
>>>> 22:34:54.948 [info] ssl accepted {{127,0,0,1},53804}, local addr
>>>> {{127,0,0,1},8443}, suite {tlsv1,{dhe_rsa,aes_256_cbc,sha}}
>>>> 22:34:54.949 [debug] ssl recv {{127,0,0,1},53804} <<"0">>
>>>> 22:34:54.949 [debug] ssl recv {{127,0,0,1},53804} <<"123456789abcdef">>
>>>>
>>>> thanks in advanced,
>>>> Best Regards, Dmitry
>>>>
>>>>
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>
>>>
>>> --
>>> Loïc Hoguin
>>> Erlang Cowboy
>>> Nine Nines
>>> http://ninenines.eu
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
More information about the erlang-questions
mailing list