On 27 Sep 2006, at 22:28, David Schwartz wrote:

>
>> Other side would return an error message:
>>
>> ORA-31154: invalid XML document
>> ORA-19202: Error occurred in XML processing
>> LSX-00213: only 0 occurrences of particle "greeting",
>> minimum is 1
>>
>> It is totally confused, that is: i, as a client would never send
>> greeting. One thing
>> possible is that it got only part of the document. Second thing is
>> two login attempts,
>> which is an error.

>
> How is the client supposed to know where the document ends?


EPP PDU starts with four bytes telling the length of the document

>
>> this after one call of SSL_write. As you see, SSL is transmitting two
>> separate application data packets.

>
> Who cares whether it sends one or a thousand? It's none of the
> application's
> business how SSL sends the data so long as it all gets to the other
> end in
> the right order.


If EPP server get two login attempts during very short period, it can
reject the
request. Thousand login attempts would definitely be a denial of service
attack, by everybody's count.

>
>> The problem is having two application data packets, when i call
>> SSL_write only once.

>
> Why do you care how many application data packets SSL uses to send
> the data
> from one end to the other? That's a protocol detail the application
> should
> not care about.


Most of protocols do care about DoS. And, say, doing a database
update unknown number
of times is not good idea either.

>
>> And yes, i want
>> to decrypt these two packets, to see what they contain. Even if they
>> both are valid packets, this would
>> be an error, as i said.

>
> How would that be an error?


As I said before, the relevant rfc has quite strong wording about DoS
attacks.
EPP would be used, for instance, provisioning ENUM DNS records, which
explains the sensitivity.

>
>> As for 0x00, this one is the cwise end-of-the-
>> string. Some application have separate
>> function call for handling date containing it..

>
> Why do you care what bytes are in the encrypted data? You're not
> handling
> that data, OpenSSL is.
>
> You see to be very confused about how layering works in an SSL
> application
> and what interface SSL provides to the application. SSL, like TCP,
> is a
> byte-stream protocol that does not preserve message boundaries.


This was just because some applications have different ways to handle
octet
sequence containing 0x00, which is c's end-of-the-string.

I use SSL_write to send exactly one packet to the SSL socket, so
expectation of
of one ssl application layer packet is reasonable.

Aarno
>


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org