Hi Formal bug description:
OpenSSL version: all versions with DTLS support. OS name: FreeBSD 7.x, 8.x, 9.x Compiler: any Application: any DTLS application Problem description: The DTLS packets do not have "Don't fragment" IP flag set (DF bit). According to DTLS specs, it must always be set. In OpenSSL code, DF bit is supported only for Linux. I am using the OpenSSL library with FreeBSD, primarily the DTLS functionality. Unfortunately, what I discovered, is that the DTLS RFC networking requirements are implemented for Linux only in OpenSSL code. That code is protected by #ifdef and nothing is done for other OSes (see the file bss_dgram.c, line 534 in OpenSSL 1.0.1c). For FreeBSD, that would be an easy fix - just use the socket option IP_DONTFRAG on IPPROTO_IP level. I can provide a code example, if necessary. It can be fixed in either original OpenSSL code, or in FreeBSD "port" patch for OpenSSL. Let me know if I can help. Thanks Oleg Moskalenko
Hi Formal bug description: OpenSSL version: all versions with DTLS support. OS name: FreeBSD 7.x, 8.x, 9.x Compiler: any Application: any DTLS application Problem description: The DTLS packets do not have “Don’t fragment” IP flag set (DF bit). According to DTLS specs, it must always be set. In OpenSSL code, DF bit is supported only for Linux. I am using the OpenSSL library with FreeBSD, primarily the DTLS functionality. Unfortunately, what I discovered, is that the DTLS RFC networking requirements are implemented for Linux only in OpenSSL code. That code is protected by #ifdef and nothing is done for other OSes (see the file bss_dgram.c, line 534 in OpenSSL 1.0.1c). For FreeBSD, that would be an easy fix – just use the socket option IP_DONTFRAG on IPPROTO_IP level. I can provide a code example, if necessary. It can be fixed in either original OpenSSL code, or in FreeBSD “port” patch for OpenSSL. Let me know if I can help. Thanks Oleg Moskalenko |