On Jul 1, 2011, at 12:59 AM, Yogesh Chopra wrote: > Hi, > I could only access the patch at the link: > > http://sctp.fh-muenster.de/dtls-patches.html > > as I do not have login credentials for > http://rt.openssl.org/Ticket/Display.html?id=2550 I think it is username guest, password guest... > > So I am not sure if the 2 places above have different patches. Yes, the patches are the same. > > > Post applying this patch I acknowledge, I do not see any timer getting > started on DTLS server. However, The server side of code still seems > to be calling dtls_handle_timeout and the test results are not good. > > > The setup is same as before (where traffic from server is blocked to > client). The Server responds only once with a HELLO_VERIFY response > for a HELLO request and then never sends a HELLO_VERIFY response for > subsequent CLIENT HELLO messages > > CLIENT SERVER > HELLO ---> > HELLO_VERIFY (For > First request) > > Post first request > > HELLO ---> > There is no response from > SERVER > > See a trace of some debug messages and tcp messages captured: > (10.10.100.80 is DTLS client & 10.10.100.87 is DTLS server) > > 15:11:46.376027 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 > (CLIENT HELLO) > 15:11:46.376445 IP 10.4.0.87.5555 > 10.4.0.80.35233: UDP, length 48 > (HELLO VERIFY) > libstratassl :SSL DTLSv1_listen in progress > 15:11:47.374784 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 > (CLIENT HELLO) > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > libstratassl :SSL DTLSv1_listen in progress > > 15:11:49.377222 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > libstratassl :SSL DTLSv1_listen in progress > 15:11:51.377016 arp who-has 10.4.0.80 tell 10.4.0.87 > 15:11:51.378266 arp reply 10.4.0.80 is-at 00:b0:d0:79:60:b7 > 15:11:53.376699 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > dtls1_handle_timeout not expired > (0x8a08ff8) dtls_get_timeout no timeout set > libstratassl :SSL DTLSv1_listen in progress > 15:12:01.379241 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 > > > Even when I drop the firewall rule blocking any server responses to > client. The DTLS connection never succeeds, the DTLS server continues > being in DTLSv1_listen in progress state. > > I removed the patch and restored OpenSSL to its earlier state and get > back to the behavior where server side timer starts and when I remove > firewall rule the connection re-establishes, although due to server > timer running, it can take a minute or so for client to get connection > handshake established. > > So it appears with the patch applied the Server is not working as > expected post sending a first HELLOVERIFY it stops sending a > HELLOVERIFY for subsequent CLIENT HELLO messages. OK. We need to look into this... Thanks for testing.
Best regards Michael > > Thanks, > -Yogi > > > > > > > > On Thu, Jun 30, 2011 at 2:37 PM, Michael Tüxen > <michael.tue...@lurchi.franken.de> wrote: >> Hi Yogi, >> >> could you try the patch in >> http://rt.openssl.org/Ticket/Display.html?id=2550 >> and report if it fixes your issue? >> >> Best regards >> Michael >> On Jun 27, 2011, at 10:58 PM, Yogesh Chopra wrote: >> >>> Hi, >>> Please look at the debug messages attached to the original message, >>> These were printf's added in the DTLS code and these were messages >>> captured on the server. We are seeing the server start a timer when it >>> sends back a "HelloVerifyRequest". Based on your comments below it >>> appears that should not be the case but we do see the timer getting >>> invoked on the server in contrast to expected behavior. >>> >>> Thanks, >>> -Yogi >>> >>> >>> On Mon, Jun 27, 2011 at 1:15 AM, Robin Seggelmann >>> <seggelm...@fh-muenster.de> wrote: >>>> Hi Yogesh, >>>> >>>> I'm not sure what your problem is. If you drop all messages sent by the >>>> server, then the client keeps repeating its ClientHello until max >>>> retransmissions is reached, that is 12 times. The client starts a timer >>>> for every ClientHello it sends, and if it expires because there is no >>>> HelloVerifyRequest, it will retransmit and double the timer value. The >>>> server, however, never starts any timer or performs any retransmission in >>>> this scenario. The HelloVerifyRequest is sent as an immediate response to >>>> a ClientHello, with no changes in the server's state. This is done to >>>> prevent several attacks, which would be possible otherwise. The client has >>>> to sent its ClientHello again with the cookie data from the >>>> HelloVerifyRequest attached, before the server sends its ServerHello, for >>>> which a timer is started. >>>> >>>> Best regards >>>> Robin >>>> >>>> >>>> On Jun 23, 2011, at 3:50 AM, Yogesh Chopra wrote: >>>> >>>>> Hi, >>>>> >>>>> We are using DTLS API to implement a DTLS Client/Server. We notice >>>>> when the client application uses dtls_handle_timeout to re-transmit >>>>> handshake messages. The DTLS server library seems to be invoking >>>>> dtls_handle_timeout for every CLIENT HELLO message. >>>>> >>>>> In order to conduct some network connectivity tests, we have disbaled >>>>> all network >>>>> traffic to reach from Server to Client. i.e The Client sends CLIENT >>>>> HELLO, Server responds with HELLO VERIFY REQUEST but this never >>>>> reaches the client by using a firewall rule between client/server >>>>> disabling all server responses to reach the client. >>>>> >>>>> A handshake in progress looks as follows: >>>>> >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (1 sec timeout) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> There is a packet drop on the network layer so NO server traffic reaches >>>>> the >>>>> client. >>>>> >>>>> This leads to client sending a CLIENT HELLO protocol message again (As >>>>> the DTLS >>>>> client application is invoking dtls_handle_timeout when timeout expires) >>>>> >>>>> So client repeats: >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (~2 sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (~4 sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (8~ sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (16~ sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (32~ sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> CLIENT -> CLIENT HELLO >>>>> DTLS Server library calls >>>>> dtls_handle_timeout (60~ sec) >>>>> SERVER -> HELLO VERIFY REQUEST >>>>> >>>>> >>>>> Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not >>>>> reply with a HELLO VERIFY REQUEST before 60 seconds >>>>> and connection does not get established (Even though we allow the >>>>> traffic from Server to reach the client). >>>>> >>>>> Should the DTLS Server library even start any timers before the CLIENT >>>>> HELLO verification is successful. >>>>> As per post below: >>>>> >>>>> http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html >>>>> >>>>> We see in d1_pkt.c/dtls1_read_bytes >>>>> >>>>> /* Check for timeout */ >>>>> if (dtls1_handle_timeout(s) > 0) >>>>> goto start; >>>>> >>>>> and have seen handle_timeouts being called during the connection >>>>> handshake. >>>>> >>>>> It appears the Server does not respond until timer has expired. >>>>> >>>>> >>>>> (test excerpt) >>>>> >>>>> (10.4.0.80 is Client >>>>> 10.4.0.87 is Server) >>>>> >>>>> >>>>> 6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>>> (CLIENT HELLO) >>>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>>> dtls_start_timer set duration = 2 >>>>> dtls_start_timer set duration = 2 >>>>> dtls1_handle_timeout retransmit message >>>>> do_dtls1_write just before end ssl3_write_pending >>>>> (0x93f4008) dtls_get_timeout timeleft = 15 999926 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 15 999873 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 15 999841 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 15 999814 >>>>> 16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>>> (VERIFY REQUEST) >>>>> 16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>>> (CLIENT HELLO) >>>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>>> dtls_start_timer set duration = 2 >>>>> dtls_start_timer set duration = 2 >>>>> dtls1_handle_timeout retransmit message >>>>> do_dtls1_write just before end ssl3_write_pending >>>>> (0x93f4008) dtls_get_timeout timeleft = 31 999925 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 31 999861 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 31 999835 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 31 999807 >>>>> 16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>>> (VERIFY REQUEST) >>>>> 16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (CLIENT HELLO) >>>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>>> dtls_start_timer set duration = 2 >>>>> dtls_start_timer set duration = 2 >>>>> dtls1_handle_timeout retransmit message >>>>> do_dtls1_write just before end ssl3_write_pending >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999886 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999812 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999776 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999732 >>>>> 16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>>> (VERIFY REQUEST) >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998175 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998087 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998052 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 997996 >>>>> 16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> 16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> >>>>> >>>>> (Now NO Server VERIFY REQUEST being sent until timer expires) >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998910 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998853 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998824 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998796 >>>>> 16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998492 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998414 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998371 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998321 >>>>> 16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 999946 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 999900 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 999880 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 999853 >>>>> 16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 998792 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 998711 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 998669 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 998620 >>>>> 16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>>> dtls_start_timer set duration = 2 >>>>> dtls_start_timer set duration = 2 >>>>> dtls1_handle_timeout retransmit message >>>>> do_dtls1_write just before end ssl3_write_pending >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999887 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999794 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999774 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999747 >>>>> 16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>>> 16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998596 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998522 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998484 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 998433 >>>>> 16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998715 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998634 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998594 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998543 >>>>> 16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 997529 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 997446 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 997410 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 997361 >>>>> 16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 996087 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 996046 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 996031 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 44 996011 >>>>> 16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 994862 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 994813 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 994792 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 28 994764 >>>>> 16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>>> dtls_start_timer set duration = 2 >>>>> dtls_start_timer set duration = 2 >>>>> dtls1_handle_timeout retransmit message >>>>> do_dtls1_write just before end ssl3_write_pending >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999847 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999780 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999739 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 59 999674 >>>>> 16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>>> 16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 999757 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 999679 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 999641 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 58 999588 >>>>> 16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 999150 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 999053 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 999018 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 56 998961 >>>>> 16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80 >>>>> 16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>>> 16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998976 >>>>> dtls1_handle_timeout not expired >>>>> (0x93f4008) dtls_get_timeout timeleft = 52 998924 >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> -Yogi >>>> >>>> >>>> >>>> >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List openssl-dev@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
