Empty TLS application records being injected in Tor streams
Robert Hogan
robert at roberthogan.net
Thu Nov 20 19:54:34 UTC 2008
On Wednesday 12 November 2008 02:25:51 Steven J. Murdoch wrote:
>
> Does anyone have ideas on how to remove the redundant TLS application
> records, or otherwise improve the efficiency?
>
> Steven.
http://marc.info/?l=openssl-users&m=115654275717293&w=2
has the answer.
"Sending empty SSL record (I mean record with only MAC) before SSL record
with real application data guards against some timing CBC attacks
and is enabled in OpenSSL by default.
To disable this set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS with
SSL_CTX_set_options()."
This corresponds exactly with what you're seeing - the empty record always
precedes the populated application record.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20081120/fbceea04/attachment.pgp>
More information about the tor-dev
mailing list