Comments (6)
I am planning to use TLSe with kTLS in an enterprise setting. I would need support for false-start (sending app data after 1-RTT) with TLS 1.2. I would be grateful if you can implement that. Support for TCP fast open would be a plus.
from tlse.
Hello,
TCP fast open is TCP-transport-layer-related. You should just setsockopt TCP_FASTOPEN to your socket layer and you're good to go. Why don't you simply use TLS 1.3 instead of TLS 1.2 false-start? For TLS 1.2 it is fairly simple to implement, it will try to add it these days. However, it will be off by default.
from tlse.
Compile with -DTLS_12_FALSE_START
.
from tlse.
from tlse.
Hello,
TLSe is transport-layer agnostic. I try to keep a logical separation between socket I/O and TLS layer. The only exception is kTLS.
For example:
while ((read_size = recv(sockfd, client_message, sizeof(client_message) , 0)) > 0) {
tls_consume_stream(context, client_message, read_size, validate_certificate);
...
}
And:
unsigned int out_buffer_len = 0;
const unsigned char *out_buffer = tls_get_write_buffer(context, &out_buffer_len);
...
int res = send(client_sock, (char *)out_buffer, out_buffer_len, 0);
...
tls_buffer_clear(context);
}
This code should be in your client application (not inside TLSe). You're free to use any flags you would like.
For TCP fast open+ TLS you should do something like this:
tls_sni_set(context, "hostname");
tls_client_connect(context)
connect(sockfd, ...)
// do your TCP-related stuff here
tls_get_write_buffer(context, ...);
send(...) or sendmsg(...) or anything you would like until write buffer is empty
Also, you may add a function like this:
const unsigned char *tls_reown_write_buffer(struct TLSContext *context, unsigned int *outlen) {
..
*outlen = context->tls_buffer_len;
const unsigned char *buffer = context->tls_buffer;
context->tls_buffer = NULL;
context->tls_buffer_len = 0;
return buffer;
}
This should answer point 1 and 3. For point 2, I'm not sure if there is a real benefit, because tls_write
takes a buffer that will be packed into a TLS record. The buffer is not copied nor stored, I'm not sure about the benefits here. Same goes for tls_get_write_buffer
which provides access to internal buffer (no copy). I think that maybe it would be trivial to store a list of iovec structures instead of TLSe write buffer, but this will not be backwards compatible. But I also think you would be better using TLSe + kTLS + splice/sendfile instead.
Also, I don't recommend using the synchronous SSL_* compatible APIs. Those perform indeed some socket I/O, but only at a basic level.
Note that this is an open-source product (public-domain). Feel free to contribute with anything you consider useful by cloning and PR.
from tlse.
from tlse.
Related Issues (20)
- Can't connect with certain servers HOT 2
- Strange error: "UNSUPPORTED TLS VERSION 0" HOT 8
- Possible bug in SSL_connect() HOT 4
- github.com TLS 1.3 transmission fails in the middle with NEED DATA HOT 11
- nginx servers need signature algorithm extension HOT 3
- Armv7 tls_packet_update HOT 1
- certificate_verify() is not called when using a TSL 1.3 client HOT 1
- Connect (to wikipedia) with V13 succeeds, but cannot read data. V12 works HOT 4
- Failure to connect to SMTP server with STARTTLS HOT 1
- Failure to notice incorrect handshake on SSL_connect
- TLS 1.3 server incompatible with openssl
- LTC_ARGCHK 'b != NULL' HOT 3
- Support for latest libtomcrypt HOT 5
- SSL_read function strange behavior vs openssl's SSL_read HOT 1
- Merge into tomcrypt HOT 2
- what is "for semantic compatibility" means? HOT 1
- Examples expects testcert folder. HOT 1
- HTTPS Server wont respond when using ECDHE-RSA-AES256GCM-SHA384 cipher HOT 1
- Growtopia wont respond when using TLSe HOT 14
- Async sockets. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tlse.