problems with TLS offload - unexpected CSTP length
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Dec 9 06:05:32 PST 2015
On Wed, Dec 9, 2015 at 2:33 PM, Eugene Istomin <E.Istomin at edss.ee> wrote:
> Nikos,
> ocserv[16828]: worker[VPN]: {IP} writing 60 byte(s) to TUN
> ocserv[16828]: worker[VPN]: {IP} received 272 byte(s) (TLS)
> ocserv[16828]: worker[VPN]: {IP} unexpected CSTP length (have 60, should be 264)
> ocserv[16828]: worker[VPN]: {IP} worker-vpn.c:1094: error parsing CSTP data
> ...
Ok. My understanding is that haproxy breaks a TLS packet received
(with 264 bytes of payload) into multiple writes to ocserv socket.
That's a bummer. Because ocserv doesn't attempt to reconstruct the
packet (in the TLS case it is not necessary as the TLS boundaries are
sufficient), this error occurs. Is there a way to instruct haproxy to
pass the full packet received rather than doing multiple writes?
Otherwise we may need some reconstruction logic for that situation.
regards,
Nikos
More information about the openconnect-devel
mailing list