Discover how to optimize the size of Application records when using `mbedtls` for SSL over TCP by understanding coalescing techniques.
---
This video is based on the question https://stackoverflow.com/q/73523139/ asked by the user 'Sam Kumar' ( https://stackoverflow.com/u/10200235/ ) and on the answer https://stackoverflow.com/a/73548444/ provided by the user 'Gilles 'SO- stop being evil'' ( https://stackoverflow.com/u/387076/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.
Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: mbedtls Application Record Size
Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.
If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding mbedtls Application Record Size: Optimizing Your TLS Writes
When working with SSL over TCP using mbedtls, you might encounter a situation where the data you send is too fragmented into smaller records. This can lead to inefficiencies, particularly when sending many small chunks of data, which can add unnecessary overhead due to TLS headers. If you’ve noticed that your mbedtls_ssl_write calls generate Application records that match your write size directly, causing concern over bandwidth loss, you are not alone. Let's dive into what you can do about it and how to optimize your mbedtls writes.
The Problem
As you're likely aware, the way data is written over a connection can significantly affect performance. It seems you are experiencing a non-ideal situation where small writes (like 52-byte chunks) lead to small TLS records being generated, which is less efficient than sending larger records, such as those created with 520-byte writes. Given the overhead associated with each TLS header, this can result in unnecessary bandwidth usage.
Key Observations
Direct Correlation: Each call to mbedtls_ssl_write creates a one-to-one relationship with Application records.
Small Record Disadvantages: Small writes lead to more TLS headers and, hence, more bandwidth consumption.
Need for Coalescing: You're looking for a method to coalesce these smaller writes into larger records, similar to how TCP can merge packets.
The Solution Explained
Understanding Security Contexts
First, it's essential to recognize that with TLS, when you call mbedtls_ssl_write, the data is immediately encrypted and wrapped into a TLS record. This process is significantly different from how TCP handles data, where the network stack can coalesce packets based on timing and readiness to send. With TLS, the network stack doesn’t have the necessary cryptographic keys to merge records. This means that once data is sent through mbedtls, it's done.
Buffering Data Before Sending
To achieve the coalescing you're after, you have two primary paths: buffer the data yourself before sending or rely on the TLS stack to provide an appropriate interface for this buffering. Let's explore buffering the data yourself since it's a straightforward and effective solution.
Steps to Buffer Your Data
Create a Temporary Buffer: Set up a temporary buffer in your application to hold your writes before processing them for transmission.
Implement a Conditional Send Method:
Input Function: Create a function that allows you to write data into the temporary buffer without sending immediately.
Send Trigger: Design another function that sends the buffered data when you're ready—this could be triggered based on buffer size, specific events, or time intervals.
Using memcpy: When the temporary buffer fills to a certain size or when you're ready to transmit the buffer, use memcpy to transfer your temporary data to the TLS interface and call mbedtls_ssl_write on that.
Example Implementation Strategy
Here’s a simple pseudo-code outline for the approach:
[[See Video to Reveal this Text or Code Snippet]]
This pseudo-code demonstrates the concept but should be tailored to your application's requirements and safety features.
Conclusion
Addressing the fragmentation of Application records when using mbedtls is key to optimizing your TLS over TCP experience. While you can’t rely on the TLS stack to manage coalescing natively, implementing your buffering mechanism will grant you control over how and when data is sent without incurring unnecessary overhead. As you develop your solution, keep in mind the importance of flexibility, ensuring your application remains robust and efficient. By following these steps, you can effectively minimize TLS header
Информация по комментариям в разработке