JSSE wrap 创建两个需要两次解包的 tls 数据包.为什么? [英] JSSE wrap creates two tls packets requiring two unwraps. Why?
问题描述
我正在使用连接的 openssl 客户端检查我们的 java 应用程序在 jsse tls 加密和解密方面的行为.
I am inspecting the behavior of our java application with respect to jsse tls encryption and decryption with a connected openssl client.
首先我观察到当我为客户端数据调用 unwrap 时,它总是 unwrap 消耗 37 个字节并产生 0.下一次 unwrap 消耗一些字节并产生一些.
First I observed that when I call unwrap for client data, it always unwraps consuming 37 bytes and producing 0. The next unwrap consumes some bytes and produces some.
起初我以为客户端会先包装一个空数组.但是后来我发现 jsse 代码也做了同样的事情,只是它产生了 1 个字节而不是 0 个.
At first I thought the client would wrap an empty array first. But then I discovered that the jsse code does the same, except it produces 1 byte instead of 0.
所以对 wrap 的每次调用消耗 X 字节并产生 Y 字节,但需要两个 unwraps 而第一个消耗 37 个字节并产生 1 个字节和第二个消耗 Y-37 字节并产生 X-1 字节.
So every call to a wrap consumes X bytes and produces Y bytes but requires TWO unwraps while the first one consumes 37 bytes and produces 1 byte and the second one consumes Y-37 bytes and produces X-1 bytes.
虽然 openssl 和 jsse 做的几乎一样,但我希望这是正确的.但是我想知道,为什么会这样.我看不出有什么原因,它需要额外的资源......?
While openssl and jsse are doing nearly the same, I expect that to be correct. However I would like to know, why that happens. I don't see a reason for that and it takes additional resources...?
推荐答案
您所看到的是缓解 BEAST 攻击的两种略有不同的方法.一种方法是使用 一个空片段,就像使用 OpenSSL 一样.JSSE 通过发送 1 个字节的数据和其余的单独发送来做类似的事情.
What you're seeing is two slightly different ways of mitigating the BEAST attack. One way of doing this is to use an empty fragment as it's done with OpenSSL. The JSSE does something similar by sending 1 byte of data and the rest separately.
以下是一些您可能感兴趣的链接:
Here are a few links that may be of interest:
这篇关于JSSE wrap 创建两个需要两次解包的 tls 数据包.为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
