JSSE wrap creates two tls packets requiring two unwraps. Why?

Question

I am inspecting the behavior of our java application with respect to jsse tls encryption and decryption with a connected openssl client.

First I observed that when I

Answer 1

What you're seeing is two slightly different ways of mitigating the BEAST attack. One way of doing this is to use an empty fragment as it's done with OpenSSL. The JSSE does something similar by sending 1 byte of data and the rest separately.

Here are a few links that may be of interest:

• This answer to a similar question.
• Beat the BEAST with TLS 1.1/1.2 and More.
• The BEAST summary - TLS, CBC, Countermeasures (Update 4).
• Tor and the BEAST SSL attack.