[openssl-users] configuring OpenSSL to split handshake messages
Matt Caswell
matt at openssl.org
Thu Nov 15 11:33:20 UTC 2018
On 15/11/2018 11:17, Eugène Adell wrote:
> This is mainly for experimental reason (client compliance checking, performance
> measurement). As the SSL/TLS protocol allows it, why not to test ?
> If no other solution than modifying the source code, where should I look ?
That involves messing with the TLS state machine. Not something to be done
lightly. It also depends on what version of OpenSSL you are using. Assuming
1.1.0 or 1.1.1 then you would need to modify ossl_statem_server_post_work() to
call statem_flush(s) for all messages that you want to immediately flush:
https://github.com/openssl/openssl/blob/ac48fba036e1764dfa98ed0f0aa932491aa1c4ef/ssl/statem/statem_srvr.c#L787-L979
Possibly something like this might be sufficient as a quick hack...totally
untested and without warranty of any kind:
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index e7c11c4bea..c0e613ad47 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -790,6 +790,9 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
s->init_num = 0;
+ if (statem_flush(s) != 1)
+ return WORK_MORE_A;
+
switch (st->hand_state) {
default:
/* No post work to be done */
Matt
>
> Le jeu. 15 nov. 2018 à 12:12, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> a écrit :
>
>
>
> On 15/11/2018 10:53, Eugène Adell wrote:
> > Hello,
> >
> > I am looking for a way to configure OpenSSL then it will send handshake
> records
> > one by one in their respective TCP packet, instead of sending one big message
> > containing several records. Typically, in my network captures I see the server
> > sending one message containing Server Hello + Certificate + Server Hello Done
> > records, and I would like to know how to send 3 messages, each one containing
> > only one record. I checked OpenSSL options and the user mailing-list archives
> > without finding the answer, and I am not sure this is even possible (by
> > configuration only).
>
> I'm intrigued to know why you would want to do that. Anyway, I don't believe
> this is currently possible without modifying the OpenSSL source code.
>
> Matt
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
More information about the openssl-users
mailing list