2015-10-23 15:12 GMT+02:00 Mark Thomas <ma...@apache.org>: > Found it. > > unwrap() only unwraps one TLS Record at a time. If there are multiple > TLS records in the input buffer unwrap reads them all into the engine > but only provides the decrypt for the first. Further calls to unwrap are > required to decrypt the remaining records. > > I have put in a work-around but I'm not sure it is in the right place. > This feels like something that should be fixed at a lower level > (tcnative?) so a call to unwrap unwarps as much as possible. > > Awesome, thanks a lot for this finding ! Yes, looking at it I'd say there's something which could be improved in the OpenSSL engine. I wonder what the JSSE behavior is, since it seems to happen quite rarely (if at all) with HTTP/1.1.
Rémy