Issue with SSL connection and TCP fragmentation

Hi

We are using a DigiConnect ME module to forward a serial port over an Secure Socket connection. Under the serial port configuration we have checked “Automatically establish TCP connections” and “Always connect and maintain connection” with “Secure Sockets” selected as the network service. The other end of the connection is terminated at a Java application using an SSLServerSocket object.

We have recently deployed a DigiConnect ME module on a network that has a very small maximum transmission unit. This limits the TCP connection’s Maximum Segment Size to 536 bytes (which is correctly advertised in the TCP SYN packet when DigiConnect ME is connecting to our server). It has turned out that under such conditions the DigiConnect ME module repeatably drops the SSL connection when data is sent from the server to the module.

From packet traces we have recorded it appears that the module will drop the connection when a TLS application data record gets split between two TCP fragments. This is unlikely on Ethernet networks where MTU is large, but in our case records get split often because of small MTU when sending more than a few characters at a time. However if we artificially force that TLS records get split, this is reproducible even on a Ethernet network with MTU of 1500 bytes.

We would appreciate any help regarding this issue. Is this a known limitation of the TLS implementation on DigiConnect ME modules? Since TCP is a stream-oriented protocol, fragmentation of TLS records shouldn’t ordinarily be an issue and can’t be controlled from the Java application. Are there any known workarounds?

Our module is using firmware version 82000856_F6.

Thank you for your answer.

Looks like you have a firmware with old TCP/IP stack.

Upgrade, check http://www.digi.com/support/productdetail?pid=2466&type=firmware

For your module
POST - http://ftp1.digi.com/support/firmware/82000867_H.bin
EOS - http://ftp1.digi.com/support/firmware/82001116_K4.bin

First update POST and then EOS.
This should resolve.

Thank you for your answer.

Upgrading to 82001116_K4 does appear to solve the problem with the SSL connection. At least in our test environment the module no longer drops connections with small MTU settings.

We have not yet deployed this fix because the upgrade also apparently caused some changes on the serial RCI interface. Because of that our device no longer works with DigiConnect modules that have been upgraded. We are currently investigating this issue.

Best regards