[PATCH] fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

Daniel Lenski dlenski at gmail.com
Wed Aug 16 12:12:18 PDT 2017

On Tue, Aug 15, 2017 at 2:17 PM, Daniel Lenski <dlenski at gmail.com> wrote:
> On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dwmw2 at infradead.org> >> So from wire packet MTU, subtract headers and MAC and IV, round *down*
>> to a multiple of blocksize, subtract one byte for the *minimal*
>> padding, and that's the largest payload you can carry.
> Aha, thanks, I'll look at dtls_get_data_mtu() and try to get this exactly right.

I've got a patch to do exactly what you described for the ESP-based MTU.

As long as I'm on this, however, many GP users are unable to use ESP
(firewalls, misconfiguration, etc.).

So when ESP is not in use, I think I should set the MTU using the TCP
MSS… but then I'd have to account for the *TLS* overhead. Does GnuTLS
have a library function to compute the maximums-size TLS application
record that can fit in a single TCP segment? I couldn't find anything.


More information about the openconnect-devel mailing list