Re: ssl negotiation failed with Microsoft IIS

From: Alun Jones [MS MVP - Security] (alun_at_texis.invalid)
Date: 05/21/04 

Date: Fri, 21 May 2004 16:24:28 GMT

In article <e9yo5TFPEHA.2740@TK2MSFTNGP11.phx.gbl>, Eugene Mayevski
<mayevski@eldos.org> wrote:
>The bug is that some students in MS (and in Sun) didn't study well and
>didn't learn that TCP is a stream protocol, not message protocol. What
>they assume is that if they read the data (ssl packet) from the socket
>with one call, then they either read the whole packet or they drop the
>connection. They can fail when you write first ssl packet header, then
>data and then MAC, with more than one send() call. In this case chances
>are that the recipient (IIS) will receive one or two pieces of the three
>mentioned. The solution is to write all three pieces into one buffer and
>send this buffer with one send() call.

Of course, since the data is logically connected, you really should do it
all in one send call, to avoid trapping yourself in Nagle and delayed ACK
problems, particularly with small messages

I'd be surprised if IIS currently fails completely with incomplete messages
- this is one of those things that you learn very early on. Unfortunately
I'm too busy to write a test case right now - I don't suppose you have one
handy? If I can verify this problem, I should be able to get it fixed for
you.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: Security Bug in IE
    ... >people print out the contents of FTP sites, ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)
  • Re: Why does Windows allow Worms?
    ... In article, Bruce Barnett ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (comp.security.misc)
  • Re: LogonUser, but no password?
    ... across a network, for instance a client certificate, or a password, but even ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.platformsdk.security)
  • Re: Security??
    ... It was silly of Jason to claim that he was invulnerable. ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)
  • Re: what gives?? Hey Microsoft, HEL-LO....
    ... It's a virus, and as more people click on the attachment ... Take a programming course, and learn more about your system - eventually ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.windowsxp.security_admin)