id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 554,Add support for partial TLS record reads (i.e. support 1/n-1 record splitting),Steffan Karger,,"This ticket is a follow-up for #524. OpenVPN assumes that its control channel messages are sent and received unfragmented, which is actually not conforming to the TLS spec. See RFC5246, section 6.2.1: Client message boundaries are not preserved in the record layer (i.e., multiple client messages of the same ContentType MAY be coalesced into a single TLSPlaintext record, or a single message MAY be fragmented across several records). In practice, this assumption only becomes invalid if 1/n-1 record splitting is enabled in PolarSSL/mbed TLS. As a quick fix for #524, record splitting is explicitly disabled. (That should be fine for openvpn. Record splitting is a counter measure against the BEAST attack, which requires an attacker to influence the data in the records to obtain other data in the same record. But unlike browsers, openvpn does not give an attacker control over the transmitted data.) Still, I think we should adhere to the spec to be able to support tricks like 1/n-1 splitting. It will make OpenVPN more robust against future changes in SSL libraries.",Bug / Defect,new,major,release 2.7,Crypto,OpenVPN git master branch (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",,,