On 03/06/2013 09:54 AM, Michael Tuexen wrote: > On Mar 6, 2013, at 1:19 PM, Gary Grebus via RT wrote: > >> I have an application which needs to protect datagram traffic, and >> also directly control the socket I/O. Using DTLS over a BIO pair >> appears to work for my purposes except for one problem when handling >> timeouts. >> >> In dtls1_check_timeout_num(), after 2 unsuccessful retransmission >> attempts, the code calls BIO_ctrl() with the BIO_CTRL_DGRAM_GET_FALLBACK_MTU >> option to adjust the MTU. This operation is not defined for a BIO >> pair, and results in the MTU being set to zero. That eventually >> causes an OpenSSL_assert() to fail in dtls1_do_write(). > So the question is: When using a BIO pair, why does sending fail? Are the > packets later on sent over UDP? If yes, how to you handle the case that > the path MTU needs to be adjusted? >
It fails because dtls1_do_write() contains the following check: OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */ which fails if s->d1->mtu is set to zero. In our particular case, we do eventually send the packets over UDP. We use SSL_set_mtu() and fix the MTU to a suitable minimum. -- Gary >> It would make sense to recognize that zero can't be a valid fallback MTU >> value, and avoid resetting the MTU. A patch with a possible fix is >> attached. >> >> --- Gary >> >> >> diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c >> index db180f2..371199d 100644 >> --- a/ssl/d1_lib.c >> +++ b/ssl/d1_lib.c >> @@ -401,12 +401,17 @@ void dtls1_stop_timer(SSL *s) >> >> int dtls1_check_timeout_num(SSL *s) >> { >> + unsigned int mtu; >> s->d1->timeout.num_alerts++; >> >> /* Reduce MTU after 2 unsuccessful retransmissions */ >> if (s->d1->timeout.num_alerts > 2) >> { >> - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), >> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); >> + mtu = BIO_ctrl(SSL_get_wbio(s), >> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); >> + if (mtu > 0) >> + { >> + s->d1->mtu = mtu; >> + } >> } >> >> if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org