JSSE wrap creates two tls packets requiring two unwraps. Why?

Question

I am inspecting the behavior of our java application with respect to jsse tls encryption and decryption with a connected openssl client.

First I observed that when I call unwrap for client data, it always unwraps consuming 37 bytes and producing 0. The next unwrap consumes some bytes and produces some.

At first I thought the client would wrap an empty array first. But then I discovered that the jsse code does the same, except it produces 1 byte instead of 0.

So every call to a wrap consumes X bytes and produces Y bytes but requires TWO unwraps while the first one consumes 37 bytes and produces 1 byte and the second one consumes Y-37 bytes and produces X-1 bytes.

While openssl and jsse are doing nearly the same, I expect that to be correct. However I would like to know, why that happens. I don't see a reason for that and it takes additional resources...?

Answer 1

What you're seeing is two slightly different ways of mitigating the BEAST attack. One way of doing this is to use an empty fragment as it's done with OpenSSL. The JSSE does something similar by sending 1 byte of data and the rest separately.

Here are a few links that may be of interest:

• This answer to a similar question.
• Beat the BEAST with TLS 1.1/1.2 and More.
• The BEAST summary - TLS, CBC, Countermeasures (Update 4).
• Tor and the BEAST SSL attack.