spray's latest version of SslTlsSupport is very strict in its handling of truncated messages. It turns out that there are several situations in combination with HTTP where some kind of truncation is likely to happen and produces warnings regularly. For https://groups.google.com/d/topic/spray-user/8FUAZ_QAfs4/discussion I made a quick test how current browser deal with potential truncation attacks and it seems that browsers are usually much more lenient than spray.
We should review that situation with akka-streams SSL implementation and maybe provide a configuration option about how to deal with possible truncation attacks.
Issue by jrudolph Tuesday Feb 10, 2015 at 15:16 GMT Originally opened as https://github.com/akka/akka/issues/16825
spray's latest version of SslTlsSupport is very strict in its handling of truncated messages. It turns out that there are several situations in combination with HTTP where some kind of truncation is likely to happen and produces warnings regularly. For https://groups.google.com/d/topic/spray-user/8FUAZ_QAfs4/discussion I made a quick test how current browser deal with potential truncation attacks and it seems that browsers are usually much more lenient than spray.
We should review that situation with akka-streams SSL implementation and maybe provide a configuration option about how to deal with possible truncation attacks.
See spray/spray#756.
/cc @sirthias