Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[mbedtls3] mbedlts would breaks the record size limit when sending big record #293

Open
Taowyoo opened this issue Jul 11, 2023 · 2 comments · Fixed by #294
Open

[mbedtls3] mbedlts would breaks the record size limit when sending big record #293

Taowyoo opened this issue Jul 11, 2023 · 2 comments · Fixed by #294
Assignees
@Taowyoo
Labels
bug

Comments

@Taowyoo
Copy link
Collaborator

Taowyoo commented Jul 11, 2023
edited
Loading

About TLS record limit, current upstream mbedtls has some problems that cause bugs:

  1. In TLS 1.3, common TLS implementations now send record_size_limit extension to negotiation max record size between client and server. But:mbedtls currently (ver: 3.4.0) does not support it and just ignore that extension.
  2. When need to send big record, mbedlts will send a TLS record with record length > 2^14 which breaks the RFC, as a result, causing client's record overflow error.

It has been ensure problem 2 cause: clients (especially common browsers) will throw "record_overflow" alert to server when server try to send a record that bigger than 2^14 .

From wireshark, I saw it sends a record with length field value: 16416 which is 32 bigger the 2^14.

So current temporary solution is to manually set the MBEDTLS_SSL_OUT_CONTENT_LEN to a smaller number, see #294

This may also related to the our async_write function under mbedtls/src/ssl/context.rs.

But further investigation is needed to identify real reason for this.
Ref:
https://www.rfc-editor.org/rfc/rfc8446#section-5.1
https://datatracker.ietf.org/doc/html/rfc8449
@Taowyoo Taowyoo self-assigned this Jul 11, 2023
@Taowyoo Taowyoo added the bug label Jul 11, 2023
@Taowyoo Taowyoo mentioned this issue Jul 11, 2023
Merged
@Taowyoo Taowyoo linked a pull request Jul 11, 2023 that will close this issue
Set MBEDTLS_SSL_OUT_CONTENT_LEN to a smaller value to avoid client side record overflow #294
Merged
@Taowyoo Taowyoo changed the title Bugs because of mbedlts does not support record_size_limit ext in TLS 1.3 Bug: mbedlts sometimes breaks the record size limit Jul 11, 2023
@jethrogb jethrogb reopened this Jul 12, 2023
@jethrogb
Copy link
Member

#294 is just a workaround. Bug remains.

@Taowyoo Taowyoo changed the title Bug: mbedlts sometimes breaks the record size limit Bug: mbedlts would breaks the record size limit when sending big record Jul 12, 2023
@jethrogb
Copy link
Member

Upstream report Mbed-TLS/mbedtls#7918

@Taowyoo Taowyoo mentioned this issue Oct 17, 2023
Closed
6 tasks
@Taowyoo Taowyoo changed the title Bug: mbedlts would breaks the record size limit when sending big record [mbedtls3] mbedlts would breaks the record size limit when sending big record Oct 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Taowyoo Taowyoo

Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@jethrogb @Taowyoo