benjojo.co.uk

one honk maybe more

benjojo posted 07 Apr 2026 14:03 +0000

How many TCP segments is a reasonable number for a TLS Client Hello?

Depending on your network set up, for connecting to bgp.tools until maybe a couple of hours ago the (non reasonable, but real) answer may have been up to 22!

It turns out on IPv4 bgp.tools has been advertising the wrong TCP window scale for quite some time and it's a true testament to TCP's flexibility that any of this was working in the first place.

Regardless, connection setups on bgp.tools should now work a little better on IPv4 now that your machine wont have to send 21 extra packets

A wireshark screenshot showing a TCP segment being reassembled out of incredibly tiny parts into a single TLS hello

benjojo replied 07 Apr 2026 14:13 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/3785P84Vbq519NSY2l

It was only figured out because of a Fortinet/FortiGate firewall user who wrote a email to me about having weird problems with accessing bgp.tools, and them being patient for debugging on both sides over email.

Remember, if you see weird stuff, email it in! It's entirely possible your setup is unearthing some deeply cursed behaviour that the operator would really like to know about

Apparently FortiGate's do not like it when you send your TLS Client Hello spread over 10+ packets, I don't really blame them since that does look quite insane over the wire

benjojo replied 07 Apr 2026 14:48 +0000
in reply to: https://hachyderm.io/users/mtz_federico/statuses/116363962481188643

@mtz_federico That's interesting! There should not have been anything stopping that, and RIPE Atlas seems reasonably happy: https://atlas.ripe.net/measurements/161855154/#general

If you get this again please send MTR's and/or pcaps etc to admin@bgp.tools and I would like to investigate it!

bortzmeyer@mastodon... replied 07 Apr 2026 14:15 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/fV3J3C2wGh984pJ55d

@benjojo It will be even funnier with the large keys of PQC, no?

FritzAdalis@infosec... replied 07 Apr 2026 14:18 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/fV3J3C2wGh984pJ55d

@benjojo
Knowing Fortinet it's probably a vuln.

LapTop006@aus.social replied 07 Apr 2026 14:20 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/3785P84Vbq519NSY2l

@benjojo OpenVPN for a long time used an initial window of 64 byte for TLS setup, I fixed our corp version to at least do 576, it was long enough ago that I couldn't defend 1280, although they did fix upstream a few months later

hailey@hails.org replied 07 Apr 2026 21:44 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/3785P84Vbq519NSY2l

@benjojo a true testament to the fact that being good at computers only means your computers are broken in more novel and exciting ways