On Tue, Aug 15, 2017 at 2:17 PM, Daniel Lenski <dlenski at gmail.com> wrote: > On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dwmw2 at infradead.org> >> So from wire packet MTU, subtract headers and MAC and IV, round *down* >> to a multiple of blocksize, subtract one byte for the *minimal* >> padding, and that's the largest payload you can carry. > > Aha, thanks, I'll look at dtls_get_data_mtu() and try to get this exactly right. I've got a patch to do exactly what you described for the ESP-based MTU. As long as I'm on this, however, many GP users are unable to use ESP (firewalls, misconfiguration, etc.). So when ESP is not in use, I think I should set the MTU using the TCP MSS? but then I'd have to account for the *TLS* overhead. Does GnuTLS have a library function to compute the maximums-size TLS application record that can fit in a single TCP segment? I couldn't find anything. Dan
