On Monday, December 07, 2015 04:00:54 pm Software Engineer 979 wrote: > Hello, > > I'm currently developing an data transfer application using OpenSSL. The > application is required to securely transfer large amounts of data over a > low latency/high bandwidth network. The data being transferred lives in a > 3rd part application that uses 1 MB buffer to transfer data to my > application. When I hook OpenSSL into my application I notice an > appreciable decline in network throughput. I've traced the issue the > default TLS record size of 16K. The smaller record size causes the 3rd > party application's buffer to be segmented into 4 16K buffers per write and > the resulting overhead considerably slows things down. I've since modified > the version of OpenSSL that I'm using to support an arbitrary TLS record > size allowing OpenSSL to scale up to 1MB or larger TLS record size. Since > this change, my network throughput has dramatically increased (187% > degradation down to 33%). > > I subsequently checked the TLS RFC to determine why a 16K record size was > being used, and all could find was the following: > > length > The length (in bytes) of the following TLSCompressed.fragment. > > The length MUST NOT exceed 2^14 + 1024. > > The language here is pretty explicit stating that the length must not > exceed 16K (+ some change).Does anyone know the reason for this? Is there a > cryptographic reason why we shouldn't exceed this message size? Based on my > limited experiment, it would appear that a larger record size would benefit > low latency/high bandwidth networks.
Well, the length field is 16-bit, so 2^16 is the hard upper limit for record format compatibility. (I don't personally know why it's less than that here, offhand) A TLS extension to negotiate max length might be viable. The handshake would have to keep to the old limits for backwards compatibility, but after that records could use a larger field (or add a multiplier to use 16-bit to cover larger sizes with padding as-needed). Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
