Hi Yogesh, I'm not sure what your problem is. If you drop all messages sent by the server, then the client keeps repeating its ClientHello until max retransmissions is reached, that is 12 times. The client starts a timer for every ClientHello it sends, and if it expires because there is no HelloVerifyRequest, it will retransmit and double the timer value. The server, however, never starts any timer or performs any retransmission in this scenario. The HelloVerifyRequest is sent as an immediate response to a ClientHello, with no changes in the server's state. This is done to prevent several attacks, which would be possible otherwise. The client has to sent its ClientHello again with the cookie data from the HelloVerifyRequest attached, before the server sends its ServerHello, for which a timer is started.
Best regards Robin On Jun 23, 2011, at 3:50 AM, Yogesh Chopra wrote: > Hi, > > We are using DTLS API to implement a DTLS Client/Server. We notice > when the client application uses dtls_handle_timeout to re-transmit > handshake messages. The DTLS server library seems to be invoking > dtls_handle_timeout for every CLIENT HELLO message. > > In order to conduct some network connectivity tests, we have disbaled > all network > traffic to reach from Server to Client. i.e The Client sends CLIENT > HELLO, Server responds with HELLO VERIFY REQUEST but this never > reaches the client by using a firewall rule between client/server > disabling all server responses to reach the client. > > A handshake in progress looks as follows: > > > CLIENT -> CLIENT HELLO > > DTLS Server library calls dtls_handle_timeout > (1 sec timeout) > SERVER -> HELLO VERIFY REQUEST > > There is a packet drop on the network layer so NO server traffic reaches the > client. > > This leads to client sending a CLIENT HELLO protocol message again (As the > DTLS > client application is invoking dtls_handle_timeout when timeout expires) > > So client repeats: > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (~2 sec) > SERVER -> HELLO VERIFY REQUEST > > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (~4 sec) > SERVER -> HELLO VERIFY REQUEST > > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (8~ sec) > SERVER -> HELLO VERIFY REQUEST > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (16~ sec) > SERVER -> HELLO VERIFY REQUEST > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (32~ sec) > SERVER -> HELLO VERIFY REQUEST > > CLIENT -> CLIENT HELLO > DTLS Server library calls dtls_handle_timeout > (60~ sec) > SERVER -> HELLO VERIFY REQUEST > > > Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not > reply with a HELLO VERIFY REQUEST before 60 seconds > and connection does not get established (Even though we allow the > traffic from Server to reach the client). > > Should the DTLS Server library even start any timers before the CLIENT > HELLO verification is successful. > As per post below: > > http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html > > We see in d1_pkt.c/dtls1_read_bytes > > /* Check for timeout */ > if (dtls1_handle_timeout(s) > 0) > goto start; > > and have seen handle_timeouts being called during the connection handshake. > > It appears the Server does not respond until timer has expired. > > > (test excerpt) > > (10.4.0.80 is Client > 10.4.0.87 is Server) > > > 6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 > (CLIENT HELLO) > (0x93f4008) dtls_get_timeout timeleft expired = 0 0 > dtls_start_timer set duration = 2 > dtls_start_timer set duration = 2 > dtls1_handle_timeout retransmit message > do_dtls1_write just before end ssl3_write_pending > (0x93f4008) dtls_get_timeout timeleft = 15 999926 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 15 999873 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 15 999841 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 15 999814 > 16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 > (VERIFY REQUEST) > 16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 > (CLIENT HELLO) > (0x93f4008) dtls_get_timeout timeleft expired = 0 0 > dtls_start_timer set duration = 2 > dtls_start_timer set duration = 2 > dtls1_handle_timeout retransmit message > do_dtls1_write just before end ssl3_write_pending > (0x93f4008) dtls_get_timeout timeleft = 31 999925 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 31 999861 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 31 999835 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 31 999807 > 16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 > (VERIFY REQUEST) > 16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (CLIENT HELLO) > (0x93f4008) dtls_get_timeout timeleft expired = 0 0 > dtls_start_timer set duration = 2 > dtls_start_timer set duration = 2 > dtls1_handle_timeout retransmit message > do_dtls1_write just before end ssl3_write_pending > (0x93f4008) dtls_get_timeout timeleft = 59 999886 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999812 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999776 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999732 > 16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 > (VERIFY REQUEST) > (0x93f4008) dtls_get_timeout timeleft = 58 998175 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 998087 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 998052 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 997996 > 16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > 16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > > > (Now NO Server VERIFY REQUEST being sent until timer expires) > (0x93f4008) dtls_get_timeout timeleft = 56 998910 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998853 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998824 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998796 > 16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 52 998492 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 998414 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 998371 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 998321 > 16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 44 999946 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 999900 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 999880 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 999853 > 16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 28 998792 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 998711 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 998669 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 998620 > 16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft expired = 0 0 > dtls_start_timer set duration = 2 > dtls_start_timer set duration = 2 > dtls1_handle_timeout retransmit message > do_dtls1_write just before end ssl3_write_pending > (0x93f4008) dtls_get_timeout timeleft = 59 999887 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999794 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999774 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999747 > 16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 > 16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 58 998596 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 998522 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 998484 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 998433 > 16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 56 998715 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998634 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998594 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998543 > 16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 52 997529 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 997446 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 997410 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 997361 > 16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 44 996087 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 996046 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 996031 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 44 996011 > 16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 28 994862 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 994813 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 994792 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 28 994764 > 16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft expired = 0 0 > dtls_start_timer set duration = 2 > dtls_start_timer set duration = 2 > dtls1_handle_timeout retransmit message > do_dtls1_write just before end ssl3_write_pending > (0x93f4008) dtls_get_timeout timeleft = 59 999847 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999780 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999739 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 59 999674 > 16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 > 16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 58 999757 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 999679 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 999641 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 58 999588 > 16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 56 999150 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 999053 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 999018 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 56 998961 > 16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80 > 16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 > 16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 > (0x93f4008) dtls_get_timeout timeleft = 52 998976 > dtls1_handle_timeout not expired > (0x93f4008) dtls_get_timeout timeleft = 52 998924 > > > > Thanks, > -Yogi ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
