Question

我正在尝试使用C编写的客户端应用程序的连接尝试。我还用C编写了服务器。它描述了TLSv1.2握手和客户端证书的交换。

第一次转储

21:58:54.472800 IP client.host50766 > server.host5995: Flags [S], seq 1085811090, win 14600, options [mss 1460,sackOK,TS val 4437544 ecr 0,nop,wscale 6], length 0
21:58:54.473049 IP server.host5995 > client.host50766: Flags [S.], seq 3283511122, ack 1085811091, win 14480, options [mss 1460,sackOK,TS val 4436964 ecr 4437544,nop,wscale 6], length 0
21:58:54.473069 IP client.host50766 > server.host5995: Flags [.], ack 1, win 229, options [nop,nop,TS val 4437544 ecr 4436964], length 0
21:58:54.473736 IP client.host50766 > server.host5995: Flags [P.], seq 1:102, ack 1, win 229, options [nop,nop,TS val 4437545 ecr 4436964], length 101
21:58:54.473843 IP server.host5995 > client.host50766: Flags [.], ack 102, win 227, options [nop,nop,TS val 4436965 ecr 4437545], length 0
**21:58:54.474478 IP server.host5995 > client.host50766: Flags [P.], seq 1:2234, ack 102, win 227, options [nop,nop,TS val 4436965 ecr 4437545], length 2233**
21:58:54.474529 IP client.host50766 > server.host5995: Flags [.], ack 2234, win 298, options [nop,nop,TS val 4437545 ecr 4436965], length 0
21:58:54.475934 IP client.host50766 > server.host5995: Flags [.], seq 102:1550, ack 2234, win 298, options [nop,nop,TS val 4437545 ecr 4436965], length 1448
21:58:54.475997 IP client.host50766 > server.host5995: Flags [P.], seq 1550:2548, ack 2234, win 298, options [nop,nop,TS val 4437545 ecr 4436965], length 998
21:58:54.476125 IP server.host5995 > client.host50766: Flags [.], ack 2548, win 303, options [nop,nop,TS val 4436965 ecr 4437545], length 0
21:58:54.478441 IP server.host5995 > client.host50766: Flags [P.], seq 2234:3324, ack 2548, win 303, options [nop,nop,TS val 4436966 ecr 4437545], length 1090
21:58:54.517533 IP client.host50766 > server.host5995: Flags [.], ack 3324, win 344, options [nop,nop,TS val 4437556 ecr 4436966], length 0

第二次转储

21:58:45.427868 IP client.host50765 > server.host5995: Flags [S], seq 76713337, win 14600, options [mss 1460,sackOK,TS val 4435283 ecr 0,nop,wscale 6], length 0
21:58:45.428082 IP server.host5995 > client.host50765: Flags [S.], seq 2802620812, ack 76713338, win 14480, options [mss 1460,sackOK,TS val 4434703 ecr 4435283,nop,wscale 6], length 0
21:58:45.428101 IP client.host50765 > server.host5995: Flags [.], ack 1, win 229, options [nop,nop,TS val 4435283 ecr 4434703], length 0
21:58:45.429034 IP client.host50765 > server.host5995: Flags [P.], seq 1:102, ack 1, win 229, options [nop,nop,TS val 4435283 ecr 4434703], length 101
21:58:45.429248 IP server.host5995 > client.host50765: Flags [.], ack 102, win 227, options [nop,nop,TS val 4434704 ecr 4435283], length 0
**21:58:45.429389 IP server.host5995 > client.host50765: Flags [.], seq 1:1449, ack 102, win 227, options [nop,nop,TS val 4434704 ecr 4435283], length 1448**
21:58:45.429458 IP client.host50765 > server.host5995: Flags [.], ack 1449, win 274, options [nop,nop,TS val 4435284 ecr 4434704], length 0
**21:58:45.429509 IP server.host5995 > client.host50765: Flags [P.], seq 1449:2234, ack 102, win 227, options [nop,nop,TS val 4434704 ecr 4435283], length 785**
21:58:45.429544 IP client.host50765 > server.host5995: Flags [.], ack 2234, win 319, options [nop,nop,TS val 4435284 ecr 4434704], length 0
21:58:45.431700 IP client.host50765 > server.host5995: Flags [.], seq 102:1550, ack 2234, win 319, options [nop,nop,TS val 4435284 ecr 4434704], length 1448
21:58:45.431785 IP client.host50765 > server.host5995: Flags [P.], seq 1550:2548, ack 2234, win 319, options [nop,nop,TS val 4435284 ecr 4434704], length 998
21:58:45.432803 IP server.host5995 > client.host50765: Flags [.], ack 2548, win 303, options [nop,nop,TS val 4434705 ecr 4435284], length 0
21:58:45.434776 IP server.host5995 > client.host50765: Flags [P.], seq 2234:3324, ack 2548, win 303, options [nop,nop,TS val 4434705 ecr 4435284], length 1090
21:58:45.473490 IP client.host50765 > server.host5995: Flags [.], ack 3324, win 364, options [nop,nop,TS val 4435295 ecr 4434705], length 0

如**所示，有时服务器会发送大小为2234的完整包，有时它不会。这是为什么？有没有办法让这种行为更加稳定？我已经设置了

SSL_CTX_set_options(ctx,SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_options(ctx,SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

我还在服务器套接字上设置TCP_NODELAY以禁用NAGLE，但它不会改变任何内容。

我已经为这两种情况上传了pcap文件：https://db.tt/PajbHdl3

Answer 1

编辑：我不再认为这是PMTU 我想这是由于PMTU（路径MTU发现），例如服务器确定数据包可以拥有的最大大小而不会被分段，并且对于同一主机的进一步数据，数据包变小（所有数据包都<= 1448字节）。

从这些细节我不知道为什么服务器问候（和证书？）有时会在一个数据包中发送。也许你可以通过检查wireshark在哪个数据包中发送SSL协议的哪些部分来提供更多细节。

无论如何，我认为不需要使这种行为更加一致：TCP（和SSL）是流而不是数据包协议，如果有效载荷或协议数据被分成多个TCP数据包应该无关紧要。

连接建立时OpenSSL各种编号包（PSH）

1 个答案: