Comply with the received Record Size Limit extension #7010
Labels
Comments
yanesca
added
enhancement
component-tls13
size-s
yanesca
changed the title
5 tasks
|
RFC 8449 says:
Not complying with this from the peer side has the same effect as not being aware of this extension. The peer needs to be prepared for this and to break the connection when this happens. Catching this and breaking connection on the sender side when we can't comply (TLS handshake messages) doesn't make the situation any better (it is just more complicated, takes longer to implement and maintain). In summary, we shouldn't try to comply with this part until #1840 is resolved. |
|
Oh, my bad, that is meant to be #3817. |
3 tasks
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 18, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 18, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 19, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 19, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 20, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
KloolK
added a commit
to KloolK/mbedtls
that referenced
this issue
Apr 20, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
yanrayw
pushed a commit
to yanrayw/mbedtls
that referenced
this issue
Nov 14, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
yanrayw
pushed a commit
to yanrayw/mbedtls
that referenced
this issue
Nov 14, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
yanrayw
pushed a commit
to yanrayw/mbedtls
that referenced
this issue
Dec 7, 2023
Fixes Mbed-TLS#7010 Signed-off-by: Jan Bruckner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisite: #7007
Make TLS 1.3 client and server in Mbed TLS respect received Record Size Limit extension. This requires adding a new member to the session structure and storing the requested output record limit there. The record layer uses
mbedtls_ssl_get_max_out_record_payload()to determine the outgoing record limit. This will need to be updated to calculate payload that will result in the requested record limit.The fragmentation support in Mbed TLS is not complete (see #1840 and #3817). Completing fragmentation support is out of scope for this task. The goal is to make available fragmentation support use the Record Size Limit extension.
Since Mbed TLS doesn't fragment handshake messages in TLS, we need to make sure that the certificate message fits in the limit when testing.
(No need to consider MTU here as we don't have DTLS 1.3 yet.)
The task is done when
mbedtls_ssl_sessionand the outgoing (the one requested by the peer) record size limit is stored thereMBEDTLS_SSL_SESSION_TICKETSorMBEDTLS_SSL_CONTEXT_SERIALIZATION) work with the new member in the structssl-opt.shMBEDTLS_SSL_RECORD_SIZE_LIMIToptionThe text was updated successfully, but these errors were encountered: