On Mar 6, 2013, at 4:27 PM, Gary Grebus wrote:
> On 03/06/2013 09:54 AM, Michael Tuexen wrote:
>> On Mar 6, 2013, at 1:19 PM, Gary Grebus via RT wrote:
>>
>>> I have an application which needs to protect datagram traffic, and
>>> also directly control the socket I/O. Using DTLS over a BIO pair
>>> appears to work for my purposes except for one problem when handling
>>> timeouts.
>>>
>>> In dtls1_check_timeout_num(), after 2 unsuccessful retransmission
>>> attempts, the code calls BIO_ctrl() with the BIO_CTRL_DGRAM_GET_FALLBACK_MTU
>>> option to adjust the MTU. This operation is not defined for a BIO
>>> pair, and results in the MTU being set to zero. That eventually
>>> causes an OpenSSL_assert() to fail in dtls1_do_write().
>> So the question is: When using a BIO pair, why does sending fail? Are the
>> packets later on sent over UDP? If yes, how to you handle the case that
>> the path MTU needs to be adjusted?
>>
>
> It fails because dtls1_do_write() contains the following check:
>
> OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have
> something reasonable now */
>
> which fails if s->d1->mtu is set to zero.
Isn't this after the sending failed two times?
>
> In our particular case, we do eventually send the packets over UDP. We
> use SSL_set_mtu() and fix the MTU to a suitable minimum.
OK.
Best regards
Michael
>
> -- Gary
>>> It would make sense to recognize that zero can't be a valid fallback MTU
>>> value, and avoid resetting the MTU. A patch with a possible fix is
>>> attached.
>>>
>>> --- Gary
>>>
>>>
>>> diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
>>> index db180f2..371199d 100644
>>> --- a/ssl/d1_lib.c
>>> +++ b/ssl/d1_lib.c
>>> @@ -401,12 +401,17 @@ void dtls1_stop_timer(SSL *s)
>>>
>>> int dtls1_check_timeout_num(SSL *s)
>>> {
>>> + unsigned int mtu;
>>> s->d1->timeout.num_alerts++;
>>>
>>> /* Reduce MTU after 2 unsuccessful retransmissions */
>>> if (s->d1->timeout.num_alerts > 2)
>>> {
>>> - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
>>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
>>> + mtu = BIO_ctrl(SSL_get_wbio(s),
>>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
>>> + if (mtu > 0)
>>> + {
>>> + s->d1->mtu = mtu;
>>> + }
>>> }
>>>
>>> if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> Development Mailing List [email protected]
>> Automated List Manager [email protected]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
