[openssl-users] TLS-Session

Konstantinos Schoinas ece8537 at upnet.gr
Mon Aug 20 10:34:38 UTC 2018


I have deployed 3 VMs in my host (linux) pc.1 ubuntu Desktop and 2 
ubuntu Servers.
I am using ovs-dpdk(openvswitch-dpdk) in order to create a bridge and 
make the VMs speak to each other.

The test-⁠case is this:

VM1 : using openssl as a client to connect to an apache2 server hosted 
in VM3
VM2 : Dpdk application working as a L2 Switch that does DPI(Deep packet 
inspection) in the packet and check if there is a server name indication 
with a specific forbidden SNI .If yes it block the TLS session by 
replying with a TLS fatal(2) alert packet with Description 
Unrecognized_name (112).According to RFC this shall block the TLS 

VM3:Just an apache2 Server

When i test this i am connecting from VM1 with this command
openssl s_client -connect www.example.com:443 -servername 
www.example.com (where "www.example.com" is the forbidden name of the 
dpdk application).

So my dpdk application is responding with the correct TLS alert and it 
actually block the TLS session.I have seen the correct packet in 
wireshark as well.I am also putting a picture with this mail in order to 
see the process.

The problem is that VM1 using openssl takes 2 to 3 seconds to end the 
TLS session.Also i am getting some retransmits of client hello in 

So my question is if anyone can confirm that this is a problem of 
openssl or if not maybe something else.
In addition if anyone know how much time does TLS session takes to 
actually end?

I wanna know if that 2-⁠3 seconds delay is normal or not from openssl 
perspective, or there is some problem with my dpdk application.

Thanks for your time,

Konstantinos Schoinas

More information about the openssl-users mailing list