Limit record size in OpenSSL

Question

I need to implement TLS on an embedded device with an OpenSSL client running on a normal computer. The data transfers are limited to less than 1 kB at a time. I have been looking at mbedtls and it is possible to limit the record buffer to 2 kB to save memory, however the standard TLS record can be up to 16 kB. Is it possible to limit the record size in TLS or at the very least require each SSL_write command to create its own record? Otherwise OpenSSL may concatenate the data and create a record that is too long to be received. I have complete control over both ends of the connection so there shouldn't be any issues with compatibility.

From the [`BIO_f_buffer(3)` man page](https://www.openssl.org/docs/manmaster/crypto/BIO_f_buffer.html): *"BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() return 1 if the buffer was successfully resized or 0 for failure" and *"...the initial buffer size is `DEFAULT_BUFFER_SIZE`, currently 4096. Any attempt to reduce the buffer size below `DEFAULT_BUFFER_SIZE` is ignored."* — jww, Sep 28 '15 at 05:10

score 1 · Answer 1 · answered Sep 27 '15 at 22:00

1

Try BIO_set_write_buffer_size(), but you should just be able to control how much you read or send at a time, and flush the BIO after each write.

Another strategy might be to create a memory BIO, and transmit the bytes of output it produces. You can’t control the maximum size of its buffer, but you should be able to control the chunk size manually that way.

answered Sep 27 '15 at 22:00

Davislor

14,674
2
34
49

Using `BIO_set_write_buffer_size` could be tricky. According to the [`BIO_f_buffer(3)` man page](https://www.openssl.org/docs/manmaster/crypto/BIO_f_buffer.html): *"...The initial buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the buffer size below DEFAULT_BUFFER_SIZE is ignored."* So he might need to change `DEFAULT_BUFFER_SIZE`, too. – jww Sep 28 '15 at 04:49
1

Without having checked, that looks like a compile-time constant to me, so it would probably require recompiling the library and running regression tests. There might be other code as well that makes assumptions about it, since that also happens to be a page size. – Davislor Sep 28 '15 at 09:06
Yeah, I'm waiting to see the outcome. We can send in a bug report referencing this and a few other questions on SO if OpenSSL does need a recompile. (I look at SO as a source of real problems that can be solved). – jww Sep 28 '15 at 09:31
But buffering output from a memory BIO should be a decent workaround. – Davislor Sep 28 '15 at 09:40
I am using ASIO so trying to rework the BIO is probably excessively complicated. Also adding the memory buffer would reduce performance. Will OpenSSL create a record for each SSL_write call, or will it try to join them into a single record to save overhead? – John Sep 28 '15 at 17:45
I’m pretty sure you can force it to create a record by flushing. – Davislor Sep 28 '15 at 21:08

Limit record size in OpenSSL

1 Answers1