[mbedtls3] `mbedlts` would breaks the record size limit when sending big record
Taowyoo opened this issue · 2 comments
About TLS record limit, current upstream mbedtls
has some problems that cause bugs:
- In TLS 1.3, common TLS implementations now send
record_size_limit
extension to negotiation max record size between client and server. But:mbedtls
currently (ver: 3.4.0) does not support it and just ignore that extension. - When need to send big record,
mbedlts
will send a TLS record with record length > 2^14 which breaks the RFC, as a result, causing client's record overflow error.
It has been ensure problem 2 cause: clients (especially common browsers) will throw "record_overflow" alert to server when server try to send a record that bigger than 2^14 .
From wireshark, I saw it sends a record with length field value: 16416
which is 32 bigger the 2^14.
So current temporary solution is to manually set the MBEDTLS_SSL_OUT_CONTENT_LEN
to a smaller number, see #294
This may also related to the our async_write
function under mbedtls/src/ssl/context.rs
.
But further investigation is needed to identify real reason for this.
Ref:
https://www.rfc-editor.org/rfc/rfc8446#section-5.1
https://datatracker.ietf.org/doc/html/rfc8449
Upstream report Mbed-TLS/mbedtls#7918