Re: Query reg. using certificates bigger than 4k for EAP-TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Your scenario is still not quite clear to me.
It sounds like you are using a BIO_f_buffer() BIO to buffer data. This is on the server side right? Are you encountering this problem for server writes? Since you are talking about the certificate chain, I assume you are referring to the server writing that chain.
libssl itself also uses a BIO_f_buffer() internally for writes during the handshake. It's not clear to me whether you are referring to the internal libssl buffering BIO, or one that you have created?
Either way, the effect of the buffering BIO during writes is that a 4k buffer is used by default. If data is written that is less than 4k in length then it is held in the buffer until either the BIO is "flushed" or the buffer is filled. In the event the buffer gets filled then it is automatically flushed, and any remaining data gets buffered.
The only effect of changing the buffer size should be to decrease the frequency that the buffer gets filled and automatic flushes occur. It sounds like by trying to increase the buffer size you are seeking to avoid "parial" writes where only part of the data is flushed and the remainder is held back for sending later when the buffer is next filled or flushed. This should not normally make any difference to the correct operation of the protocol (except for efficiency) although it does depend on what happens "downstream" of the buffering bio and how partial writes get sent to the peer.
It sounds like things are not quite working correctly for you when "partial" writes occur. This sounds like a potential problem in the BIO chain downstream of libssl (i.e. in your application). 

Matt

On 20/10/2021 12:34, Vishal Sinha wrote:

Hi Matt
The certificate is not large as such. But since it's a chain, the overall size crosses 4k. We used BIO_set_write_buffer_size() API to increase the size from 4k to 8k of the BIO buffer in SSL context. 

Regards
Vishal
On Wed, Oct 20, 2021 at 3:26 PM Vishal Sinha <vishals1991@xxxxxxxxx <mailto:vishals1991@xxxxxxxxx>> wrote: 

    Hi

    We are using openssl 1.1.1c version on our client and server. Client
    and Server are doing EAP-TLS authentication using certificates which
    are more than 4k in size (using 1 root CA and 2 intermediate CAs).
    We noticed that the server is not able to handle it gracefully due
    to insufficient buffer size during SSL handshake and hence
    authentication fails. To solve this issue, we increased the buffer
    size to 8k programmatically and authentication passed. Is there any
    other way to solve this problem?

    Regards
    Vishal
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux