Question on DTLS server calling dtls_handle_timeout during protocol handshake.

[Yogesh Chopra]

Hi,

We are using DTLS API to implement a DTLS Client/Server. We notice
when the client application uses dtls_handle_timeout to re-transmit
handshake messages. The DTLS server library seems to be invoking
dtls_handle_timeout for every CLIENT HELLO message.

In order to conduct some network connectivity tests, we have disbaled
all network
traffic to reach from Server to Client. i.e The Client sends CLIENT
HELLO, Server responds with HELLO VERIFY REQUEST but this never
reaches the client by using a firewall rule between client/server
disabling all server responses to reach the client.

A handshake in progress looks as follows:


CLIENT -> CLIENT HELLO

                                DTLS Server library calls dtls_handle_timeout 
(1 sec timeout)
                                SERVER -> HELLO VERIFY REQUEST

There is a packet drop on the network layer so NO server traffic reaches the
client.

This leads to client sending a CLIENT HELLO protocol message again (As the DTLS
client application is invoking dtls_handle_timeout when timeout expires)

So client repeats:

CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(~2 sec)
                                SERVER -> HELLO VERIFY REQUEST


CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(~4 sec)
                                SERVER -> HELLO VERIFY REQUEST


CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(8~ sec)
                                SERVER -> HELLO VERIFY REQUEST

CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(16~ sec)
                                SERVER -> HELLO VERIFY REQUEST

CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(32~ sec)
                                SERVER -> HELLO VERIFY REQUEST

CLIENT -> CLIENT HELLO
                                DTLS Server library calls dtls_handle_timeout 
(60~ sec)
                                SERVER -> HELLO VERIFY REQUEST


Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not
reply with a HELLO VERIFY REQUEST before 60 seconds
and connection does not get established (Even though we allow the
traffic from Server to reach the client).

Should the DTLS Server library even start any timers before the CLIENT
HELLO verification is successful.
As per post below:

http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html

We see in d1_pkt.c/dtls1_read_bytes

        /* Check for timeout */
        if (dtls1_handle_timeout(s) > 0)
                goto start;

and have seen handle_timeouts being called during the connection handshake.

It appears the Server does not respond until timer has expired.


(test excerpt)

(10.4.0.80 is Client
 10.4.0.87 is Server)


6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154
(CLIENT HELLO)
(0x93f4008) dtls_get_timeout timeleft expired = 0 0
dtls_start_timer set duration = 2
dtls_start_timer set duration = 2
dtls1_handle_timeout retransmit message
do_dtls1_write just before end ssl3_write_pending
(0x93f4008) dtls_get_timeout timeleft  = 15 999926
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 15 999873
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 15 999841
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 15 999814
16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48
(VERIFY REQUEST)
16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154
(CLIENT HELLO)
(0x93f4008) dtls_get_timeout timeleft expired = 0 0
dtls_start_timer set duration = 2
dtls_start_timer set duration = 2
dtls1_handle_timeout retransmit message
do_dtls1_write just before end ssl3_write_pending
(0x93f4008) dtls_get_timeout timeleft  = 31 999925
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 31 999861
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 31 999835
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 31 999807
16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48
(VERIFY REQUEST)
16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80
16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(CLIENT HELLO)
(0x93f4008) dtls_get_timeout timeleft expired = 0 0
dtls_start_timer set duration = 2
dtls_start_timer set duration = 2
dtls1_handle_timeout retransmit message
do_dtls1_write just before end ssl3_write_pending
(0x93f4008) dtls_get_timeout timeleft  = 59 999886
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999812
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999776
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999732
16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48
(VERIFY REQUEST)
(0x93f4008) dtls_get_timeout timeleft  = 58 998175
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 998087
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 998052
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 997996
16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154


(Now NO Server VERIFY REQUEST being sent until timer expires)
(0x93f4008) dtls_get_timeout timeleft  = 56 998910
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998853
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998824
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998796
16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80
16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 52 998492
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 998414
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 998371
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 998321
16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 44 999946
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 999900
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 999880
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 999853
16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 28 998792
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 998711
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 998669
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 998620
16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80
16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft expired = 0 0
dtls_start_timer set duration = 2
dtls_start_timer set duration = 2
dtls1_handle_timeout retransmit message
do_dtls1_write just before end ssl3_write_pending
(0x93f4008) dtls_get_timeout timeleft  = 59 999887
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999794
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999774
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999747
16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48
16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 58 998596
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 998522
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 998484
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 998433
16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 56 998715
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998634
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998594
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998543
16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80
16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 52 997529
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 997446
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 997410
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 997361
16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 44 996087
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 996046
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 996031
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 44 996011
16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 28 994862
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 994813
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 994792
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 28 994764
16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80
16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft expired = 0 0
dtls_start_timer set duration = 2
dtls_start_timer set duration = 2
dtls1_handle_timeout retransmit message
do_dtls1_write just before end ssl3_write_pending
(0x93f4008) dtls_get_timeout timeleft  = 59 999847
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999780
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999739
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 59 999674
16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48
16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 58 999757
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 999679
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 999641
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 58 999588
16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 56 999150
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 999053
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 999018
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 56 998961
16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80
16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67
16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154
(0x93f4008) dtls_get_timeout timeleft  = 52 998976
dtls1_handle_timeout not expired
(0x93f4008) dtls_get_timeout timeleft  = 52 998924



Thanks,
-Yogi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org