<div dir="ltr"><div dir="ltr"><div>Thanks for all of your answers.</div><div><br></div><div>I tried Matt's quick hack, and I confirm it's quick and efficient. I compiled and ran an Apache server, locally (but I'll make more tests) I see what I wanted to see, with the server handshake records being sent one by one.</div><div>Here is the capture info :</div><div><br></div><div>No. Time Source Destination Window size value Protocol Length Server Name Info<br>4 0.243570 127.0.0.1 127.0.0.1 43690 TCP 74 46706 → 7989 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1203506813 TSecr=0 WS=128<br>5 0.243722 127.0.0.1 127.0.0.1 43690 TCP 74 7989 → 46706 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=1203506813 TSecr=1203506813 WS=128<br>6 0.243877 127.0.0.1 127.0.0.1 342 TCP 66 46706 → 7989 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=1203506814 TSecr=1203506813<br>7 0.455007 127.0.0.1 127.0.0.1 342 TLSv1.2 239 localhost Client Hello<br>8 0.455119 127.0.0.1 127.0.0.1 350 TCP 66 7989 → 46706 [ACK] Seq=1 Ack=174 Win=44800 Len=0 TSval=1203507025 TSecr=1203507025<br>9 0.457130 127.0.0.1 127.0.0.1 350 TLSv1.2 160 Server Hello<br>10 0.457156 127.0.0.1 127.0.0.1 342 TCP 66 46706 → 7989 [ACK] Seq=174 Ack=95 Win=43776 Len=0 TSval=1203507027 TSecr=1203507027<br>11 0.457384 127.0.0.1 127.0.0.1 350 TLSv1.2 905 Certificate<br>12 0.457413 127.0.0.1 127.0.0.1 355 TCP 66 46706 → 7989 [ACK] Seq=174 Ack=934 Win=45440 Len=0 TSval=1203507027 TSecr=1203507027<br>13 0.464522 127.0.0.1 127.0.0.1 350 TLSv1.2 404 Server Key Exchange<br>14 0.464551 127.0.0.1 127.0.0.1 368 TCP 66 46706 → 7989 [ACK] Seq=174 Ack=1272 Win=47104 Len=0 TSval=1203507034 TSecr=1203507034<br>15 0.464682 127.0.0.1 127.0.0.1 350 TLSv1.2 75 Server Hello Done<br>16 0.464706 127.0.0.1 127.0.0.1 368 TCP 66 46706 → 7989 [ACK] Seq=174 Ack=1281 Win=47104 Len=0 TSval=1203507035 TSecr=1203507034<br>17 0.472451 127.0.0.1 127.0.0.1 368 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message<br>18 0.474058 127.0.0.1 127.0.0.1 350 TLSv1.2 72 Change Cipher Spec<br>19 0.474291 127.0.0.1 127.0.0.1 350 TLSv1.2 111 Encrypted Handshake Message<br>20 0.474425 127.0.0.1 127.0.0.1 368 TCP 66 46706 → 7989 [ACK] Seq=300 Ack=1332 Win=47104 Len=0 TSval=1203507044 TSecr=1203507044<br>21 0.475191 127.0.0.1 127.0.0.1 368 TLSv1.2 173 Application Data<br>22 0.476450 127.0.0.1 127.0.0.1 350 TLSv1.2 379 Application Data<br>23 0.477625 127.0.0.1 127.0.0.1 381 TLSv1.2 97 Encrypted Alert<br>24 0.477949 127.0.0.1 127.0.0.1 381 TCP 66 46706 → 7989 [FIN, ACK] Seq=438 Ack=1645 Win=48768 Len=0 TSval=1203507048 TSecr=1203507046<br>25 0.478294 127.0.0.1 127.0.0.1 350 TLSv1.2 97 Encrypted Alert<br>26 0.478356 127.0.0.1 127.0.0.1 0 TCP 54 46706 → 7989 [RST] Seq=439 Win=0 Len=0</div><div><br></div><div>Eugene.<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Le jeu. 15 nov. 2018 à 21:12, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org">openssl-users@dukhovni.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> On Nov 15, 2018, at 5:53 AM, Eugène Adell <<a href="mailto:eugene.adell@gmail.com" target="_blank">eugene.adell@gmail.com</a>> wrote:<br>
> <br>
> I am looking for a way to configure OpenSSL then it will send handshake<br>
> records one by one in their respective TCP packet, instead of sending one<br>
> big message containing several records. Typically, in my network captures<br>
> I see the server sending one message containing Server Hello + Certificate<br>
> + Server Hello Done records, and I would like to know how to send 3<br>
> messages, each one containing only one record. I checked OpenSSL options<br>
> and the user mailing-list archives without finding the answer, and I am<br>
> not sure this is even possible (by configuration only).<br>
<br>
Not possible "by configuration only", but if you put a biopair between<br>
OpenSSL and the network, you can read TLS records from the output side<br>
of the biopair (by reading the record header, and then reading the<br>
corresponding number of payload bytes), and then attempt to transmit<br>
each record separately by performing a separate write to the TCP<br>
socket (with Nagle delays disabled).<br>
<br>
Of course you'll then also need to read from the network socket and<br>
write the data to the input side of the biopair. There are examples<br>
of biopair use you can find.<br>
<br>
-- <br>
Viktor.<br>
<br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div>