[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Empty TLS application records being injected in Tor streams

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Empty TLS application records being injected in Tor streams
From: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Date: Thu, 20 Nov 2008 19:54:34 +0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Thu, 20 Nov 2008 14:54:56 -0500
In-reply-to: <20081112022550.GA5832@xxxxxxxxxxxxxxxxx>
References: <20081112022550.GA5832@xxxxxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: KMail/1.9.10

On Wednesday 12 November 2008 02:25:51 Steven J. Murdoch wrote:
>
> Does anyone have ideas on how to remove the redundant TLS application
> records, or otherwise improve the efficiency?
>
> Steven.

http://marc.info/?l=openssl-users&m=115654275717293&w=2

has the answer.

"Sending empty SSL record (I mean record with only MAC) before SSL record
with real application data guards against some timing CBC attacks
and is enabled in OpenSSL by default.
To disable this set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS with
SSL_CTX_set_options()."

This corresponds exactly with what you're seeing - the empty record always 
precedes the populated application record.

Attachment: signature.asc
Description: This is a digitally signed message part.

References:
- Empty TLS application records being injected in Tor streams
  - From: Steven J. Murdoch

Prev by Author: Re: determining which are the ORs a Tor circuit is using
Next by Author: Re: draft proposal: download server descriptors on demand
Previous by thread: Empty TLS application records being injected in Tor streams
Next by thread: [Announce] Introducing Tor VM – Tor in a virtual machine.
Index(es):
- Author
- Thread