I am testing an embedded mutual-TLS client based on Mbed TLS 3.6.6 with the following options enabled:
#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
The device uses TLS 1.2 mutual authentication. The current certificate chains are relatively small:
- server
Certificate handshake message: about 1200 bytes
- client
Certificate handshake message: about 900 bytes
With:
#define MBEDTLS_SSL_IN_CONTENT_LEN 4352
#define MBEDTLS_SSL_OUT_CONTENT_LEN 4352
the handshake succeeds.
I then tested TLS Maximum Fragment Length negotiation.
When using MBEDTLS_SSL_MAX_FRAG_LEN_512, the peer accepts the MFL extension. The server-side Certificate message is received correctly by the device, fragmented across multiple TLS records within the negotiated 512-byte limit.
However, when Mbed TLS sends the client Certificate message, it appears to emit it as a single TLS record of about 833 bytes. The peer then aborts the handshake with a fatal record_overflow alert.
With MBEDTLS_SSL_MAX_FRAG_LEN_4096, the same handshake succeeds, because both the server and client Certificate messages fit below the negotiated 4096-byte record limit.
This looks like an asymmetry in MFL handling:
- incoming
Certificate messages are handled correctly when the peer fragments them according to MFL;
- outgoing client
Certificate messages do not appear to be fragmented by Mbed TLS according to the negotiated MFL.
Expected behavior:
After a Maximum Fragment Length value has been negotiated, Mbed TLS should ensure that all outgoing TLSPlaintext records, including handshake records such as the client Certificate message, respect the negotiated maximum fragment length.
Actual behavior:
The outgoing client Certificate message appears to be sent as a single TLS record larger than the negotiated MFL value, causing the peer to abort with record_overflow.
This is relevant for embedded mutual-TLS devices, where MFL is used to reduce runtime RAM usage while still supporting certificate-based authentication.
Please let me know if this is a known limitation, a configuration issue, or an actual bug in the outgoing handshake fragmentation path.
I am testing an embedded mutual-TLS client based on Mbed TLS 3.6.6 with the following options enabled:
The device uses TLS 1.2 mutual authentication. The current certificate chains are relatively small:
Certificatehandshake message: about 1200 bytesCertificatehandshake message: about 900 bytesWith:
the handshake succeeds.
I then tested TLS Maximum Fragment Length negotiation.
When using
MBEDTLS_SSL_MAX_FRAG_LEN_512, the peer accepts the MFL extension. The server-sideCertificatemessage is received correctly by the device, fragmented across multiple TLS records within the negotiated 512-byte limit.However, when Mbed TLS sends the client
Certificatemessage, it appears to emit it as a single TLS record of about 833 bytes. The peer then aborts the handshake with a fatalrecord_overflowalert.With
MBEDTLS_SSL_MAX_FRAG_LEN_4096, the same handshake succeeds, because both the server and clientCertificatemessages fit below the negotiated 4096-byte record limit.This looks like an asymmetry in MFL handling:
Certificatemessages are handled correctly when the peer fragments them according to MFL;Certificatemessages do not appear to be fragmented by Mbed TLS according to the negotiated MFL.Expected behavior:
After a Maximum Fragment Length value has been negotiated, Mbed TLS should ensure that all outgoing TLSPlaintext records, including handshake records such as the client
Certificatemessage, respect the negotiated maximum fragment length.Actual behavior:
The outgoing client
Certificatemessage appears to be sent as a single TLS record larger than the negotiated MFL value, causing the peer to abort withrecord_overflow.This is relevant for embedded mutual-TLS devices, where MFL is used to reduce runtime RAM usage while still supporting certificate-based authentication.
Please let me know if this is a known limitation, a configuration issue, or an actual bug in the outgoing handshake fragmentation path.