On 27 Sep 2006, at 22:28, David Schwartz wrote:
Other side would return an error message:
ORA-31154: invalid XML document
ORA-19202: Error occurred in XML processing
LSX-00213: only 0 occurrences of particle "greeting",
minimum is 1
It is totally confused, that is: i, as a client would never send
greeting. One thing
possible is that it got only part of the document. Second thing is
two login attempts,
which is an error.
How is the client supposed to know where the document ends?
EPP PDU starts with four bytes telling the length of the document
this after one call of SSL_write. As you see, SSL is transmitting two
separate application data packets.
Who cares whether it sends one or a thousand? It's none of the
application's
business how SSL sends the data so long as it all gets to the other
end in
the right order.
If EPP server get two login attempts during very short period, it can
reject the
request. Thousand login attempts would definitely be a denial of service
attack, by everybody's count.
The problem is having two application data packets, when i call
SSL_write only once.
Why do you care how many application data packets SSL uses to send
the data
from one end to the other? That's a protocol detail the application
should
not care about.
Most of protocols do care about DoS. And, say, doing a database
update unknown number
of times is not good idea either.
And yes, i want
to decrypt these two packets, to see what they contain. Even if they
both are valid packets, this would
be an error, as i said.
How would that be an error?
As I said before, the relevant rfc has quite strong wording about DoS
attacks.
EPP would be used, for instance, provisioning ENUM DNS records, which
explains the sensitivity.
As for 0x00, this one is the cwise end-of-the-
string. Some application have separate
function call for handling date containing it..
Why do you care what bytes are in the encrypted data? You're not
handling
that data, OpenSSL is.
You see to be very confused about how layering works in an SSL
application
and what interface SSL provides to the application. SSL, like TCP,
is a
byte-stream protocol that does not preserve message boundaries.
This was just because some applications have different ways to handle
octet
sequence containing 0x00, which is c's end-of-the-string.
I use SSL_write to send exactly one packet to the SSL socket, so
expectation of
of one ssl application layer packet is reasonable.
Aarno
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
