enum { true, false } IsExportable;

       enum { null, md5, sha } MACAlgorithm;

       enum { null(0), (255) } CompressionMethod;

       /* The algorithms specified in CompressionMethod,
          BulkCipherAlgorithm, and MACAlgorithm may be added to. */

       struct {
           ConnectionEnd          entity;
           BulkCipherAlgorithm    bulk_cipher_algorithm;
           CipherType             cipher_type;
           uint8                  key_size;
           uint8                  key_material_length;
           IsExportable           is_exportable;
           MACAlgorithm           mac_algorithm;
           uint8                  hash_size;
           CompressionMethod      compression_algorithm;
           opaque                 master_secret[48];
           opaque                 client_random[32];
           opaque                 server_random[32];
       } SecurityParameters;

   The record layer will use the security parameters to generate the
   following six items:

       client write MAC secret
       server write MAC secret
       client write key
       server write key
       client write IV (for block ciphers only)
       server write IV (for block ciphers only)

   The client write parameters are used by the server when receiving and
   processing records and vice-versa. The algorithm used for generating
   these items from the security parameters is described in section 6.3.




 
RFC 2246              The TLS Protocol Version 1.0          January 1999


   Once the security parameters have been set and the keys have been
   generated, the connection states can be instantiated by making them
   the current states. These current states must be updated for each
   record processed. Each connection state includes the following
   elements:

   compression state
       The current state of the compression algorithm.

   cipher state
       The current state of the encryption algorithm. This will consist
       of the scheduled key for that connection. In addition, for block
       ciphers running in CBC mode (the only mode specified for TLS),
       this will initially contain the IV for that connection state and
       be updated to contain the ciphertext of the last block encrypted
       or decrypted as records are processed. For stream ciphers, this
       will contain whatever the necessary state information is to allow
       the stream to continue to encrypt or decrypt data.

   MAC secret
       The MAC secret for this connection as generated above.

   sequence number
       Each connection state contains a sequence number, which is
       maintained separately for read and write states. The sequence
       number must be set to zero whenever a connection state is made
       the active state. Sequence numbers are of type uint64 and may not
       exceed 2^64-1. A sequence number is incremented after each
       record: specifically, the first record which is transmitted under
       a particular connection state should use sequence number 0.

6.2. Record layer

   The TLS Record Layer receives uninterpreted data from higher layers
   in non-empty blocks of arbitrary size.

6.2.1. Fragmentation

   The record layer fragments information blocks into TLSPlaintext
   records carrying data in chunks of 2^14 bytes or less. Client message
   boundaries are not preserved in the record layer (i.e., multiple
   client messages of the same ContentType may be coalesced into a
   single TLSPlaintext record, or a single message may be fragmented
   across several records).

       struct {
           uint8 major, minor;
       } ProtocolVersion;




 
RFC 2246              The TLS Protocol Version 1.0          January 1999