Comments (6)
kiranns
commented on August 11, 2024
I am planning to use TLSe with kTLS in an enterprise setting. I would need support for false-start (sending app data after 1-RTT) with TLS 1.2. I would be grateful if you can implement that. Support for TCP fast open would be a plus.
from tlse.
eduardsui
commented on August 11, 2024
Hello,
TCP fast open is TCP-transport-layer-related. You should just setsockopt TCP_FASTOPEN to your socket layer and you're good to go. Why don't you simply use TLS 1.3 instead of TLS 1.2 false-start? For TLS 1.2 it is fairly simple to implement, it will try to add it these days. However, it will be off by default.
from tlse.
eduardsui
commented on August 11, 2024
Compile with -DTLS_12_FALSE_START.
from tlse.
kiranns
commented on August 11, 2024
Thanks for the prompt response. I will try it out.
1. TCP FAST OPEN is indeed a TCP level option. However, the benefits of
that has to be leveraged by the TLS layer. The 'Client Hello' has to be
sent to the other side along with the 'SYN'. This requires changes inside
tlse, I presume by using the sendmsg call with special flags. This would
cut down one 1-RTT. There have been some security concerns regarding using
this. If you havent already, please take a look at Adam Langley's blog on
this issue (if I recall correctly).
2. Another request: please enable the tls_write and tls_read calls to take
in iovec structures. This would help avoiding 1-copy (at least) into a flat
buffer while sending large amounts, something that we need for our
use-case. In addition, if you can avoid further copies of the data within
the TLS layer for processing (for example, during encryption), that would
be great.
3. Another new request: In the newer Linux kernels, we can do zero-copy
between user-space and kernel for socket data. Adding that functionality
would also help with avoiding one more copy in the path for large data.
Here are the references I am talking about:
On the Tx side: https://lwn.net/Articles/726353/
On the Rx side: https://lwn.net/Articles/752046/
These are also TLS level changes.
…On Sat, Mar 2, 2019 at 4:39 AM Eduard Suica ***@***.***> wrote:
Compile with -DTLS_12_FALSE_START.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#38 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AScbLuALygUPTkedxhmU6umShUurmLaKks5vSnEKgaJpZM4baAg2>
.
from tlse.
eduardsui
commented on August 11, 2024
Hello,
TLSe is transport-layer agnostic. I try to keep a logical separation between socket I/O and TLS layer. The only exception is kTLS.
For example:
while ((read_size = recv(sockfd, client_message, sizeof(client_message) , 0)) > 0) {
tls_consume_stream(context, client_message, read_size, validate_certificate);
...
}
And:
unsigned int out_buffer_len = 0;
const unsigned char *out_buffer = tls_get_write_buffer(context, &out_buffer_len);
...
int res = send(client_sock, (char *)out_buffer, out_buffer_len, 0);
...
tls_buffer_clear(context);
}
This code should be in your client application (not inside TLSe). You're free to use any flags you would like.
For TCP fast open+ TLS you should do something like this:
tls_sni_set(context, "hostname");
tls_client_connect(context)
connect(sockfd, ...)
// do your TCP-related stuff here
tls_get_write_buffer(context, ...);
send(...) or sendmsg(...) or anything you would like until write buffer is empty
Also, you may add a function like this:
const unsigned char *tls_reown_write_buffer(struct TLSContext *context, unsigned int *outlen) {
..
*outlen = context->tls_buffer_len;
const unsigned char *buffer = context->tls_buffer;
context->tls_buffer = NULL;
context->tls_buffer_len = 0;
return buffer;
}
This should answer point 1 and 3. For point 2, I'm not sure if there is a real benefit, because tls_write takes a buffer that will be packed into a TLS record. The buffer is not copied nor stored, I'm not sure about the benefits here. Same goes for tls_get_write_buffer which provides access to internal buffer (no copy). I think that maybe it would be trivial to store a list of iovec structures instead of TLSe write buffer, but this will not be backwards compatible. But I also think you would be better using TLSe + kTLS + splice/sendfile instead.
Also, I don't recommend using the synchronous SSL_* compatible APIs. Those perform indeed some socket I/O, but only at a basic level.
Note that this is an open-source product (public-domain). Feel free to contribute with anything you consider useful by cloning and PR.
from tlse.
kiranns
commented on August 11, 2024
I have clarifications and further comments on this thread. I see that the
issue has now been closed. I will open separate threads on these topics
with my comments.
…On Sat, Mar 2, 2019 at 10:43 PM Eduard Suica ***@***.***> wrote:
Hello,
TLSe is transport-layer agnostic. I try to keep a logical separation
between socket I/O and TLS layer. The only exception is kTLS.
For example:
while ((read_size = recv(sockfd, client_message, sizeof(client_message) , 0)) > 0) {
tls_consume_stream(context, client_message, read_size, validate_certificate);
...
}
And:
unsigned int out_buffer_len = 0;
const unsigned char *out_buffer = tls_get_write_buffer(context, &out_buffer_len);
...
int res = send(client_sock, (char *)out_buffer, out_buffer_len, 0);
...
tls_buffer_clear(context);
}
This code should be in your client application (not inside TLSe). You're
free to use any flags you would like.
For TCP fast open+ TLS you should do something like this:
tls_sni_set(context, "hostname");
tls_client_connect(context)
connect(sockfd, ...)
// do your TCP-related stuff here
tls_get_write_buffer(context, ...);
send(...) or sendmsg(...) or anything you would like until write buffer is empty
Also, you may add a function like this:
const unsigned char *tls_reown_write_buffer(struct TLSContext *context, unsigned int *outlen) {
..
*outlen = context->tls_buffer_len;
const unsigned char *buffer = context->tls_buffer;
context->tls_buffer = NULL;
context->tls_buffer_len = 0;
return buffer;
}
This should answer point 1 and 3. For point 2, I'm not sure if there is a
real benefit, because tls_write takes a buffer that will be packed into a
TLS record. The buffer is not copied nor stored, I'm not sure about the
benefits here. Same goes for tls_get_write_buffer which provides access
to internal buffer (no copy). I think that maybe it would be trivial to
store a list of iovec structures instead of TLSe write buffer, but this
will not be backwards compatible. But I also think you would be better
using TLSe + kTLS + splice/sendfile instead.
Also, I don't recommend using the synchronous SSL_* compatible APIs. Those
perform indeed some socket I/O, but only at a basic level.
Note that this is an open-source product (public-domain). Feel free to
contribute with anything you consider useful by cloning and PR.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#38 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AScbLt2SDhMM6GPUOdkT76mCdSkiybLfks5vS270gaJpZM4baAg2>
.
from tlse.
Related Issues (20)
- Can't connect with certain servers HOT 2
- Strange error: "UNSUPPORTED TLS VERSION 0" HOT 8
- Possible bug in SSL_connect() HOT 4
- github.com TLS 1.3 transmission fails in the middle with NEED DATA HOT 11
- nginx servers need signature algorithm extension HOT 3
- Armv7 tls_packet_update HOT 1
- certificate_verify() is not called when using a TSL 1.3 client HOT 1
- Connect (to wikipedia) with V13 succeeds, but cannot read data. V12 works HOT 4
- Failure to connect to SMTP server with STARTTLS HOT 1
- Failure to notice incorrect handshake on SSL_connect
- TLS 1.3 server incompatible with openssl
- LTC_ARGCHK 'b != NULL' HOT 3
- Support for latest libtomcrypt HOT 5
- SSL_read function strange behavior vs openssl's SSL_read HOT 1
- Merge into tomcrypt HOT 2
- what is "for semantic compatibility" means? HOT 1
- Examples expects testcert folder. HOT 1
- HTTPS Server wont respond when using ECDHE-RSA-AES256GCM-SHA384 cipher HOT 1
- Growtopia wont respond when using TLSe HOT 14
- Async sockets. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tlse.