Bodo Moeller wrote:
On Mon, Jun 26, 2006 at 02:04:47PM +0100, Darryl Miles wrote:
Bodo Moeller wrote:
On Mon, Jun 26, 2006 at 12:35:57PM +0100, Darryl Miles wrote:
Yes. During the first call to SSL_write(), OpenSSL may take as many
bytes as fit into one TLS record, and encrypt this for transport.
Then SSL_write() may fail with WANT_WRITE or WANT_READ both before and
after this first record has been written, until finally all the data
has been broken up into records and all these records have been sent.
Checky extra question: Out of interest what are the overheads for TLS
headers and block padding for bulk application data, is there an optimal
SSL_write() size that would align all of these factors in the encoded
output:
* TLS header/protocol overhead
* Cipher blocks and chaining modes (picking the most commonly used)
* Blocking mode padding overhead
* Ethernet 1500 MTUs
I presume the minimum is 1 byte, to be send and flushed at the receiver.
But maximum block size I read somewhere maybe around 16Kb ?
So if we were looking in the 1500 to 6000 byte region for a nicely
aligned SSL_write() size, what are the magic numbers ?
If you want to minimize overhead, you should use records of maximum
length, which is 2^14 plaintext bytes (with a slightly longer
ciphertext).
I was thinking in terms of the possibility of optimizing for network
layer (than just raw encoded data length, necessary to encode the payload).
For example, if:
* TLS overhead is: 5 bytes
* Cipher blocks + chaining alignment is 512bits / 64 bytes. Some
ciphers align at less (down to 8 bytes) which makes it easier to find
magic number for them.
* Blocking mode padding at 64 byte multiples of payload size is: 0 bytes
* Ethernet MTU is: 1500 bytes
So magic numbers around the range 1500 to 6000 byte region would be:
1472 bytes payload (1472 divides by 64 with no remainder, and block
padding overhead for that length is 0) + 5 TLS header = 1472 bytes.
5952 bytes payload + 5 TLS header = 5957 bytes.
I'm pretty sure the metrics I list above are incorrect. But demonstrate
the maths, I'm looking for an output in 1500 multiples. But an odd
sized TLS header stuffs that possibility up anyway. If I send just a
byte of payload data under TLS (AES256-SHA) IIRC get around 37 bytes are
sent over the network.
I presume I am allowed to increase the amount of data in a subsequent
SSL_write() call, or does that break TLS block length previously setup ?
OpenSSL won't complain if you increase the length on subsequent
SSL_write() calls.
I take your response to mean that OpenSSL doesn't care, as in I will not
corrupt or mess anything up.
Thanks you've been a great help clarifying my points.
Darryl
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
