No matter what you do, the "maximum fragment length" -- the MTU -- is going to break all of your communications down into smaller packets.
TLS, in its basic form, is designed to be as close as possible to a replacement for read() and write() -- you read from the connection, you write to the connection. It doesn't matter if there are multiple 'TLS records' in between -- that's all handled by the protocol, and each record adds a relatively miniscule overhead to the stream. Due to how the protocol works (please see RFC 4346 for TLS 1.1 and RFC 2426 for TLS 1.0), the specification says 2^14 is the maximum size of a fragment, which is 16KB. (Note that this 16KB must also include the HMAC.) It can be reduced by the extension introduced in RFC 3546 (maximum fragment length notification), but it can never be raised. The application writes data to the TLS layer, the TLS layer encodes it in a standard way such that the other end can decode it, and the other end presents the data to its application layer without regard for how the TLS protocol broke it out. Basically: Build your application without regard for the size of the data you need to send. The TLS layer's contract is that it will, in the ideal case of no active attack, get the data you send to the remote side in a way that the remote side can handle. (If you were contracting UPS to deliver a package, you wouldn't tell them how to do their job... why are you trying to tell TLS, which is what you're contracting with, how to do its job?) -Kyle H On Thu, May 14, 2009 at 2:52 PM, Animesh Chowdhury <animesh.chowdh...@gmail.com> wrote: > Hi, > I've run into an problem where the data that I need to send to the client is > more than 16KB. How do I set up the session so that I can do the maximum > fragment length negotiation ? > Any example code related to this will be extremely helpful. > I'm using openssl0.9.8j . > Also if someone can tell me since which release openssl supports this TLS > extension that'll be great. > Much appreciated. > Thanks. > Animesh > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
