[openssl-users] configuring OpenSSL to split handshake messages

Eugène Adell eugene.adell at gmail.com
Thu Nov 15 21:51:56 UTC 2018 

Thanks for all of your answers.

I tried Matt's quick hack, and I confirm it's quick and efficient. I
compiled and ran an Apache server, locally (but I'll make more tests) I see
what I wanted to see, with the server handshake records being sent one by
one.
Here is the capture info :

No.     Time           Source                Destination           Window
size value Protocol Length Server Name Info
4 0.243570       127.0.0.1             127.0.0.1
43690             TCP      74                 46706 → 7989 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1203506813 TSecr=0 WS=128
5 0.243722       127.0.0.1             127.0.0.1
43690             TCP      74                 7989 → 46706 [SYN, ACK] Seq=0
Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1203506813
TSecr=1203506813 WS=128
6 0.243877       127.0.0.1             127.0.0.1
342               TCP      66                 46706 → 7989 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=1203506814 TSecr=1203506813
7 0.455007       127.0.0.1             127.0.0.1
342               TLSv1.2  239    localhost   Client Hello
8 0.455119       127.0.0.1             127.0.0.1
350               TCP      66                 7989 → 46706 [ACK] Seq=1
Ack=174 Win=44800 Len=0 TSval=1203507025 TSecr=1203507025
9 0.457130       127.0.0.1             127.0.0.1
350               TLSv1.2  160                Server Hello
10 0.457156       127.0.0.1             127.0.0.1
342               TCP      66                 46706 → 7989 [ACK] Seq=174
Ack=95 Win=43776 Len=0 TSval=1203507027 TSecr=1203507027
11 0.457384       127.0.0.1             127.0.0.1
350               TLSv1.2  905                Certificate
12 0.457413       127.0.0.1             127.0.0.1
355               TCP      66                 46706 → 7989 [ACK] Seq=174
Ack=934 Win=45440 Len=0 TSval=1203507027 TSecr=1203507027
13 0.464522       127.0.0.1             127.0.0.1
350               TLSv1.2  404                Server Key Exchange
14 0.464551       127.0.0.1             127.0.0.1
368               TCP      66                 46706 → 7989 [ACK] Seq=174
Ack=1272 Win=47104 Len=0 TSval=1203507034 TSecr=1203507034
15 0.464682       127.0.0.1             127.0.0.1
350               TLSv1.2  75                 Server Hello Done
16 0.464706       127.0.0.1             127.0.0.1
368               TCP      66                 46706 → 7989 [ACK] Seq=174
Ack=1281 Win=47104 Len=0 TSval=1203507035 TSecr=1203507034
17 0.472451       127.0.0.1             127.0.0.1
368               TLSv1.2  192                Client Key Exchange, Change
Cipher Spec, Encrypted Handshake Message
18 0.474058       127.0.0.1             127.0.0.1
350               TLSv1.2  72                 Change Cipher Spec
19 0.474291       127.0.0.1             127.0.0.1
350               TLSv1.2  111                Encrypted Handshake Message
20 0.474425       127.0.0.1             127.0.0.1
368               TCP      66                 46706 → 7989 [ACK] Seq=300
Ack=1332 Win=47104 Len=0 TSval=1203507044 TSecr=1203507044
21 0.475191       127.0.0.1             127.0.0.1
368               TLSv1.2  173                Application Data
22 0.476450       127.0.0.1             127.0.0.1
350               TLSv1.2  379                Application Data
23 0.477625       127.0.0.1             127.0.0.1
381               TLSv1.2  97                 Encrypted Alert
24 0.477949       127.0.0.1             127.0.0.1
381               TCP      66                 46706 → 7989 [FIN, ACK]
Seq=438 Ack=1645 Win=48768 Len=0 TSval=1203507048 TSecr=1203507046
25 0.478294       127.0.0.1             127.0.0.1
350               TLSv1.2  97                 Encrypted Alert
26 0.478356       127.0.0.1             127.0.0.1
0                 TCP      54                 46706 → 7989 [RST] Seq=439
Win=0 Len=0

Eugene.

Le jeu. 15 nov. 2018 à 21:12, Viktor Dukhovni <openssl-users at dukhovni.org>
a écrit :

> > On Nov 15, 2018, at 5:53 AM, Eugène Adell <eugene.adell at gmail.com>
> wrote:
> >
> > I am looking for a way to configure OpenSSL then it will send handshake
> > records one by one in their respective TCP packet, instead of sending one
> > big message containing several records. Typically, in my network captures
> > I see the server sending one message containing Server Hello +
> Certificate
> > + Server Hello Done records, and I would like to know how to send 3
> > messages, each one containing only one record. I checked OpenSSL options
> > and the user mailing-list archives without finding the answer, and I am
> > not sure this is even possible (by configuration only).
>
> Not possible "by configuration only", but if you put a biopair between
> OpenSSL and the network, you can read TLS records from the output side
> of the biopair (by reading the record header, and then reading the
> corresponding number of payload bytes), and then attempt to transmit
> each record separately by performing a separate write to the TCP
> socket (with Nagle delays disabled).
>
> Of course you'll then also need to read from the network socket and
> write the data to the input side of the biopair.  There are examples
> of biopair use you can find.
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181115/68efb3b1/attachment-0001.html>

More information about the openssl-users mailing list