On Thursday 22 March 2007 10:36 am, Jakob Schroeter wrote: > [*] GnuTLS twice spits out 3 pieces of handshake data in a row. These can > be combined and sent in one stanza.
Yes. > The stanzas I was sending look like this: > > <message ...> > <xtls xmlns='xtls:test'> > base64( raw_tls_data ) > </xtls> > </message> > > I do not start an additional XML stream here, so I believe this format is > similar to what is used in ESessions, where all stanza child elements which > don't contain routing information are encrypted and put in a <c/> element. TLS is meant to be used as a stream. Even your GnuTLS wrapper, with its spontaneous callbacks, reflects this. So I still think this packetized usage of TLS is very strange. Granted, it is probably safe to assume that the TLS library will report all outgoing data immediately, both for handshake or encrypted user data. If it doesn't do it in one call, then it would occur in several calls over one "pass" (like you noticed with the gnutls handshake). I make this assumption as well in my own code, as it is the only way I know of to track when plaintext data has been fully processed by a TLS library that otherwise doesn't report it (e.g. OpenSSL). However, shaping TLS packets in such a way that we effectively packetize the decoded plaintext, even if we can pull it off, just seems weird. TLS is a stream, let's use it like a stream. -Justin
