On Wed, Nov 18, 2015 at 11:07:59AM +0200, Yoav Nir wrote:
> Stateful firewalls tend to pass only what they understand. They use some
> measures to avoid tunneling and passing things that are not HTTPS over TCP
> port 443.
>
If the record layer header for application-data (not the initial
handshak), is simply expanded by 3 bytes to 8 (zero padded), and
the padding is included in the record length, then to legacy parsers
it looks like a 5 byte header with payload that's 3 bytes longer.
While implementations aware of the change will treat this as a new
format in which the recorder header is 8 bytes and always overstates
the payload length by 3.
The real payload can then be properly aligned.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
