TLS Heartbeat

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Heartbeat

Rasool, Kaja Mohideen (Nokia - IN)

Hi,

 

I’m trying to develop a server (Java – Netty NIO Library + OpenSSL) / client (C + OpenSSL) applications.

 

A. I started off writing my server using Netty+OpenSSL and used some python scripts available in web (https://gist.github.com/takeshixx/10107280) to test whether TLS Heartbeat with OpenSSL is fine. Strangely I found that OpenSSL responds to heartbeat only if the length of TLSPlainText.length is greater than 4096. This I have observed from testing, yet to see the OpenSSL code which imposes this limitation.

 

B. Then I started to write my client that uses SSL_heartbeat macro – but I didn’t find any way to mention how much payload/padding to be used in the heartbeat message.

 

I need clarity on

 

1.       Whether the limitation observed in (A) above is correct? If so, is there any way to change it.

2.       How to provide inputs like payload/padding to be used to work-around the limitation (A) ?

 

Many thanks in advance,

 

With regards,

R Kaja Mohideen

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Salz, Rich

Heartbeats?  Yuk, why.

 

Most likely, TCP is buffering things until you get a big enough data packet.   I don’t know how to address that.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Rasool, Kaja Mohideen (Nokia - IN)

Ok, maybe, TCP is doing it. Is there any other API using which I can specify the payload length & number of bytes for padding to send a TLS Heartbeat request? Then, I can use that API to send out a big enough heartbeat request so my server recognize & responds to it.

 

// Kaja

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Salz, Rich
Sent: Saturday, December 10, 2016 9:35 PM
To: [hidden email]
Subject: Re: [openssl-users] TLS Heartbeat

 

Heartbeats?  Yuk, why.

 

Most likely, TCP is buffering things until you get a big enough data packet.   I don’t know how to address that.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Kyle Hamilton
In reply to this post by Salz, Rich
disable O_NAGLE on the socket?

-Kyle H

On Sat, Dec 10, 2016 at 8:04 AM, Salz, Rich <[hidden email]> wrote:

Heartbeats?  Yuk, why.

 

Most likely, TCP is buffering things until you get a big enough data packet.   I don’t know how to address that.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Jeffrey Walton-3
In reply to this post by Rasool, Kaja Mohideen (Nokia - IN)
On Sat, Dec 10, 2016 at 9:25 PM, Rasool, Kaja Mohideen (Nokia - IN)
<[hidden email]> wrote:
> Ok, maybe, TCP is doing it. Is there any other API using which I can specify
> the payload length & number of bytes for padding to send a TLS Heartbeat
> request? Then, I can use that API to send out a big enough heartbeat request
> so my server recognize & responds to it.

Maybe related, see
https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/.
It shows how to measure and adjust for some throughput improvements.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Michael Wojcik
In reply to this post by Kyle Hamilton
> From: openssl-users [mailto:[hidden email]] On Behalf Of Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who couldn't take the time to learn how TCP works. But then given the OP's description of the original problem, disabling the Nagle algorithm is likely not the most egregious design decision here. I'll echo Rich's sentiment: If you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission for up to 200ms. The OP didn't provide any actual useful information about what the "problem" is, so we don't know whether the heartbeats would have been transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Rasool, Kaja Mohideen (Nokia - IN)
Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in idle connections.

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Wojcik
Sent: Monday, December 12, 2016 12:19 AM
To: [hidden email]
Subject: Re: [openssl-users] TLS Heartbeat

> From: openssl-users [mailto:[hidden email]] On Behalf Of Kyle Hamilton
> Sent: Sunday, December 11, 2016 02:29
> To: openssl-users
> Subject: Re: [openssl-users] TLS Heartbeat
>
> disable O_NAGLE on the socket?

Do you mean enable TCP_NODELAY? That's the standard (POSIX / SUSv3) option that disables the Nagle algorithm.

Using it is generally a sign of poorly-written software, created by someone who couldn't take the time to learn how TCP works. But then given the OP's description of the original problem, disabling the Nagle algorithm is likely not the most egregious design decision here. I'll echo Rich's sentiment: If you're using TLS heartbeat, You're Doing It Wrong.

Also, note that Nagle / Delayed ACK interaction should only delay transmission for up to 200ms. The OP didn't provide any actual useful information about what the "problem" is, so we don't know whether the heartbeats would have been transmitted after 200ms.

If they're not being transmitted for some other reason (e.g. receive window advertised as closed), then  disabling Nagle won't make any difference.

Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS Heartbeat

Salz, Rich

> Yes. We're thinking of using TLS Heartbeats as cheaper KeepAlive option in
> idle connections.

Use TCP keepalive if really needed.  That keeps your application level free to reap truly idle connections if/when it wants to.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users