problems with TLS offload - unexpected CSTP length

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Dec 15 14:10:07 PST 2015


On Wed, 2015-12-09 at 15:05 +0100, Nikos Mavrogiannopoulos wrote:
> On Wed, Dec 9, 2015 at 2:33 PM, Eugene Istomin <E.Istomin at edss.ee> 
> wrote:
> > Nikos,
> 
> > ocserv[16828]: worker[VPN]: {IP} writing 60 byte(s) to TUN
> > ocserv[16828]: worker[VPN]: {IP} received 272 byte(s) (TLS)
> > ocserv[16828]: worker[VPN]: {IP} unexpected CSTP length (have 60, 
> > should be 264)
> > ocserv[16828]: worker[VPN]: {IP} worker-vpn.c:1094: error parsing 
> > CSTP data
> > ...
> Ok. My understanding is that haproxy breaks a TLS packet received
> (with 264 bytes of payload) into multiple writes to ocserv socket.
> That's a bummer. Because ocserv doesn't attempt to reconstruct the
> packet (in the TLS case it is not necessary as the TLS boundaries are
> sufficient), this error occurs. Is there a way to instruct haproxy to
> pass the full packet received rather than doing multiple writes?
> Otherwise we may need some reconstruction logic for that situation.

I've put together a quick patch which reconstructs the CSTP packets if
they are incomplete which should solve this issue. Please test as
making a reproducer for that issue would take quite some time.

https://gitlab.com/ocserv/ocserv/uploads/21bd8fc3040ecfe4018d02ee87d641
0c/patch.txt

regards,
Nikos




More information about the openconnect-devel mailing list