Topic: [SOLVED] Max frag length

As also stated on https://www.wolfssl.com/using-maximum-f … h-wolfssl/
the maximum fragment length is  2^14 = 0x4000 = 16384 bytes.

When configured with --enable-maxfragment the wolfSSL client sends something with
the client HELLO message to the server, which responds with the actual frag length
to be used (am I correct?).

In the source I find the following:

int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
{
...
    if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX)
        return BAD_FUNC_ARG;
...

where

/* Fragment lengths */
enum {
    WOLFSSL_MFL_2_9  = 1, /*  512 bytes */
    WOLFSSL_MFL_2_10 = 2, /* 1024 bytes */
    WOLFSSL_MFL_2_11 = 3, /* 2048 bytes */
    WOLFSSL_MFL_2_12 = 4, /* 4096 bytes */
    WOLFSSL_MFL_2_13 = 5, /* 8192 bytes *//* wolfSSL ONLY!!! */
    WOLFSSL_MFL_2_8  = 6, /*  256 bytes *//* wolfSSL ONLY!!! */
    WOLFSSL_MFL_MIN  = WOLFSSL_MFL_2_9,
    WOLFSSL_MFL_MAX  = WOLFSSL_MFL_2_8,
};

In other words, you are only allowed to pass for mfl: 1, 2, 3, 4, 5 or 6 with
the meanings: 512, 1024, 2048, 4096, 8192 and 256 bytes.

There is no 16384 bytes.

Also, the server reply is decoded by TLSX_MFL_Parse :

static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
                                                                 byte isRequest)
{
...
    switch (*input) {
        case WOLFSSL_MFL_2_8 : ssl->max_fragment =  256; break;
        case WOLFSSL_MFL_2_9 : ssl->max_fragment =  512; break;
        case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
        case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
        case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
        case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;

        default:
            SendAlert(ssl, alert_fatal, illegal_parameter);

            return UNKNOWN_MAX_FRAG_LEN_E;
    }
...

again restricting the possible fragment size to a maximum of 8192 bytes.

What happened to the (allowed) value of 16384?

Share

Re: [SOLVED] Max frag length

Also - I need to know the negotiated size. But there is no way to access that hmm (ssl->max_fragment can not be accessed because 'struct WOLFSSL' is only declared, not defined).

Share

Re: [SOLVED] Max frag length

RFC 6066, section 4, defines the Max Fragment Length extension. 2^14 is not a value allowed by the extension, as that is the default maximum size of a TLS record. You indicate that size by not using the MFL extension. If the server accepts the MFL request, it shall reply with a MFL extension of its own with the same requested size tag.

We added options 5 and 6 for our own testing. They only work when wolfSSL is on either side.

There isn't an accessor for the MFL on a session. It is normally handled automatically inside the library. Nobody has requested an accessor for the value. The client application should already know what the value is, it set the value.

Note, RFC 8449, section5, obsoletes the MFL for TLSv1.3.

Re: [SOLVED] Max frag length

Thank you! It seems I totally misunderstood what max fragment length meant. Based on this explanation it is now clear to me that I do not need it and I'll remove it from my library smile.

Note: the reason that I thought I needed it is because DO need to know what the fragmentation size is in order to avoid less efficient communications; and I thought that without the negotiation it would be rather arbitrary (depending on the server) and that it could differ between servers.

Share