trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard
verified publisher icon apache

Support CLIENT_HELLO split across multiple packets

Open bneradt opened this issue 7 months ago • 2 comments

Our TLS CLIENT_HELLO processing logic assumed all CLIENT_HELLO bytes came in a single TCP packet. However, with more recent cryptographic ciphers, the CLIENT_HELLO is often greater than the standard 1,500 byte MTU, so the CLIENT_HELLO is being delivered in multiple packets. This updates our logic to properly buffer and parse data across multiple socket reads.

Fixes: #11758

bneradt avatar Jun 13 '25 22:06 bneradt

I guess no hope in getting this fix backported to older major versions?

tomuxi avatar Jun 18 '25 13:06 tomuxi

I guess no hope in getting this fix backported to older major versions?

The cherry-pick for 9.x is non-trivial, but I can look into it.

bneradt avatar Jun 18 '25 22:06 bneradt

I guess no hope in getting this fix backported to older major versions?

The cherry-pick for 9.x is non-trivial, but I can look into it.

I guess no hope in getting this fix backported to older major versions?

The cherry-pick for 9.x is non-trivial, but I can look into it.

I made a 9.2.x backport: https://github.com/apache/trafficserver/pull/12319

bneradt avatar Jun 25 '25 21:06 bneradt

Cherry-picked to 10.1.x branch

cmcfarlen avatar Jun 30 '25 15:06 cmcfarlen