The DTLS code makes some assumptions that it is using a UDP socket BIO to detect the timeout condition for resend.
When using another BIO type (e.g. BIO pair) on read, this does not work properly. - Ariel Pavel via RT wrote: > Hello, > > This problem was described by Martin Vladic, but i cant find it in RT. > > Here is description: > > "Let's suppose that handshake between client and server comes to the > point where client sends this message flight to the server: > > Certificate > ClientKeyExchange > CertificateVerify > ChangeCipherSpec > Finished [this message is protected] > > So, client comes to the stage when all subsequent messages shall be > protected. In above message flight only last message (Finished) is > protected. First four messages are unprotected. That's all OK. > > To continue, client needs following response from the server: > > ChangeCipherSpec > Finished [this message is encrypted] > > What happens if such message doesn't arrive? Retransmission timer > expires and client must send last flight again. > > But, OpenSSL DTLS implementation doesn't handle this situation very > well. It sends the last flight of messages, but all messages are > protected because implementation thinks that CipherSpec and keys are > negotiated. I think that only last message must be protected, and > first four must not (like it was in first transmission of the same > flight)." > > Also, when client retransmits his last flight (5 messages), message > "retransmit: message 4 non-existant" is printed to stderr. > > Even if client resends correct last flight (encrypting only Finished > message), > server will not retransmit his last flight (2 messages). > > Pavel > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- - Ariel Salomon / Senior Software Engineer Real-Time Innovations (RTI) / www.rti.com 408 990-7439 / [EMAIL PROTECTED] RTI - The Real-Time Middleware Experts ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]