TLS-Session

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS-Session

Konstantinos Schoinas
Hello,

I have deployed 3 VMs in my host (linux) pc.1 ubuntu Desktop and 2
ubuntu Servers.
I am using ovs-dpdk(openvswitch-dpdk) in order to create a bridge and
make the VMs speak to each other.

The test-case is this:

VM1 : using openssl as a client to connect to an apache2 server hosted
in VM3
VM2 : Dpdk application working as a L2 Switch that does DPI(Deep packet
inspection) in the packet and check if there is a server name indication
with a specific forbidden SNI .If yes it block the TLS session by
replying with a TLS fatal(2) alert packet with Description
Unrecognized_name (112).According to RFC this shall block the TLS
session.

VM3:Just an apache2 Server

When i test this i am connecting from VM1 with this command
openssl s_client -connect www.example.com:443 -servername
www.example.com (where "www.example.com" is the forbidden name of the
dpdk application).

So my dpdk application is responding with the correct TLS alert and it
actually block the TLS session.I have seen the correct packet in
wireshark as well.I am also putting a picture with this mail in order to
see the process.

The problem is that VM1 using openssl takes 2 to 3 seconds to end the
TLS session.Also i am getting some retransmits of client hello in
wireshark.

So my question is if anyone can confirm that this is a problem of
openssl or if not maybe something else.
In addition if anyone know how much time does TLS session takes to
actually end?

I wanna know if that 2-3 seconds delay is normal or not.


Thanks for your time,

Konstantinos Schoinas
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

2018-08-17 1.39.51 PM.jpg (291K) Download Attachment
2018-08-17 1.42.16 PM.jpg (434K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS-Session

Viktor Dukhovni


> On Aug 17, 2018, at 6:43 AM, Konstantinos Schoinas <[hidden email]> wrote:
>
> So my dpdk application is responding with the correct TLS alert and it actually block the TLS session.I have seen the correct packet in wireshark as well.I am also putting a picture with this mail in order to see the process.
>
> The problem is that VM1 using openssl takes 2 to 3 seconds to end the TLS session.Also i am getting some retransmits of client hello in wireshark.

Re-transmission is a feature of the kernel TCP stack, and OpenSSL
has no control over this behaviour.

> So my question is if anyone can confirm that this is a problem of openssl or if not maybe something else.
> In addition if anyone know how much time does TLS session takes to actually end?

This *cannot* be an OpenSSL issue.  Your DPI firewall must not be
sending an ACK for the client HELLO payload.  Or is otherwise
failing to conform to TCP in a way that triggers re-transmission.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS-Session

OpenSSL - User mailing list
TCP Nagle + TCP Delayed ACKs can cause what appears to be the ClientHello being retransmitted.

Tweaking these TCP options will give you better initialization performance. 

TCP_NODELAY
TCP_QUICKACK

This may not help the "end session" issue.
--
-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Aug 20, 2018, at 9:39 AM, Viktor Dukhovni <[hidden email]> wrote:



On Aug 17, 2018, at 6:43 AM, Konstantinos Schoinas <[hidden email]> wrote:

So my dpdk application is responding with the correct TLS alert and it actually block the TLS session.I have seen the correct packet in wireshark as well.I am also putting a picture with this mail in order to see the process.

The problem is that VM1 using openssl takes 2 to 3 seconds to end the TLS session.Also i am getting some retransmits of client hello in wireshark.

Re-transmission is a feature of the kernel TCP stack, and OpenSSL
has no control over this behaviour.

So my question is if anyone can confirm that this is a problem of openssl or if not maybe something else.
In addition if anyone know how much time does TLS session takes to actually end?

This *cannot* be an OpenSSL issue.  Your DPI firewall must not be
sending an ACK for the client HELLO payload.  Or is otherwise
failing to conform to TCP in a way that triggers re-transmission.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users