This is a discussion on Re: Strange problem with SSL_write - Openssl ; On 27 Sep 2006, at 22:28, David Schwartz wrote: > >> Other side would return an error message: >> >> ORA-31154: invalid XML document >> ORA-19202: Error occurred in XML processing >> LSX-00213: only 0 occurrences of particle "greeting", >> ...
On 27 Sep 2006, at 22:28, David Schwartz wrote:
>> Other side would return an error message:
>> ORA-31154: invalid XML document
>> ORA-19202: Error occurred in XML processing
>> LSX-00213: only 0 occurrences of particle "greeting",
>> minimum is 1
>> It is totally confused, that is: i, as a client would never send
>> greeting. One thing
>> possible is that it got only part of the document. Second thing is
>> two login attempts,
>> which is an error.
> How is the client supposed to know where the document ends?
EPP PDU starts with four bytes telling the length of the document
>> this after one call of SSL_write. As you see, SSL is transmitting two
>> separate application data packets.
> Who cares whether it sends one or a thousand? It's none of the
> business how SSL sends the data so long as it all gets to the other
> end in
> the right order.
If EPP server get two login attempts during very short period, it can
request. Thousand login attempts would definitely be a denial of service
attack, by everybody's count.
>> The problem is having two application data packets, when i call
>> SSL_write only once.
> Why do you care how many application data packets SSL uses to send
> the data
> from one end to the other? That's a protocol detail the application
> not care about.
Most of protocols do care about DoS. And, say, doing a database
update unknown number
of times is not good idea either.
>> And yes, i want
>> to decrypt these two packets, to see what they contain. Even if they
>> both are valid packets, this would
>> be an error, as i said.
> How would that be an error?
As I said before, the relevant rfc has quite strong wording about DoS
EPP would be used, for instance, provisioning ENUM DNS records, which
explains the sensitivity.
>> As for 0x00, this one is the cwise end-of-the-
>> string. Some application have separate
>> function call for handling date containing it..
> Why do you care what bytes are in the encrypted data? You're not
> that data, OpenSSL is.
> You see to be very confused about how layering works in an SSL
> and what interface SSL provides to the application. SSL, like TCP,
> is a
> byte-stream protocol that does not preserve message boundaries.
This was just because some applications have different ways to handle
sequence containing 0x00, which is c's end-of-the-string.
I use SSL_write to send exactly one packet to the SSL socket, so
of one ssl application layer packet is reasonable.
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org