[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Empty TLS application records being injected in Tor streams



On Wednesday 12 November 2008 02:25:51 Steven J. Murdoch wrote:
>
> Does anyone have ideas on how to remove the redundant TLS application
> records, or otherwise improve the efficiency?
>
> Steven.

http://marc.info/?l=openssl-users&m=115654275717293&w=2

has the answer.

"Sending empty SSL record (I mean record with only MAC) before SSL record
with real application data guards against some timing CBC attacks
and is enabled in OpenSSL by default.
To disable this set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS with
SSL_CTX_set_options()."

This corresponds exactly with what you're seeing - the empty record always 
precedes the populated application record.

Attachment: signature.asc
Description: This is a digitally signed message part.