On 01/19/2019 10:04 AM, Christian Nilsson wrote: > Is there any way to detect that you only got a partial TLS header? or > is it any way to detect that it isn't complete and we should wait for > more data before processing it?
Yes. The TLS handshake header comes along with a length field. In the example of Go Daddy this is set to 51xx (can't remember exactly from the top of my head). This length is being read and causes the "received overlength Handshake" error. As we set max_fragmentation extension to 4096 and received exactly that amount of data in the first handshake packet it should be fairly straight forward to predict that another packet with the rest is on its way. > I think this has been reported before, just that not enough > information was provided to reproduce, and/or not persistence was > put in to have it fixed. Looking through the git history I found some more interesting changes which sound like this kind of issue has been looked at already [1], [2]. But probably from a different angle back in 2012/13 when SSL server side implementations where still very different. Regards, Sebastian [1] https://git.ipxe.org/ipxe.git/commit/0acc52519de732f4f010e1029e1308cee825eaed [2] https://git.ipxe.org/ipxe.git/commit/72db14640c2a9eac0ba53baa955b180f1f4b9c2f _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel