On Mar 6, 2013, at 4:27 PM, Gary Grebus wrote: > On 03/06/2013 09:54 AM, Michael Tuexen wrote: >> On Mar 6, 2013, at 1:19 PM, Gary Grebus via RT wrote: >> >>> I have an application which needs to protect datagram traffic, and >>> also directly control the socket I/O. Using DTLS over a BIO pair >>> appears to work for my purposes except for one problem when handling >>> timeouts. >>> >>> In dtls1_check_timeout_num(), after 2 unsuccessful retransmission >>> attempts, the code calls BIO_ctrl() with the BIO_CTRL_DGRAM_GET_FALLBACK_MTU >>> option to adjust the MTU. This operation is not defined for a BIO >>> pair, and results in the MTU being set to zero. That eventually >>> causes an OpenSSL_assert() to fail in dtls1_do_write(). >> So the question is: When using a BIO pair, why does sending fail? Are the >> packets later on sent over UDP? If yes, how to you handle the case that >> the path MTU needs to be adjusted? >> > > It fails because dtls1_do_write() contains the following check: > > OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have > something reasonable now */ > > which fails if s->d1->mtu is set to zero. Isn't this after the sending failed two times? > > In our particular case, we do eventually send the packets over UDP. We > use SSL_set_mtu() and fix the MTU to a suitable minimum. OK.
Best regards Michael > > -- Gary >>> It would make sense to recognize that zero can't be a valid fallback MTU >>> value, and avoid resetting the MTU. A patch with a possible fix is >>> attached. >>> >>> --- Gary >>> >>> >>> diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c >>> index db180f2..371199d 100644 >>> --- a/ssl/d1_lib.c >>> +++ b/ssl/d1_lib.c >>> @@ -401,12 +401,17 @@ void dtls1_stop_timer(SSL *s) >>> >>> int dtls1_check_timeout_num(SSL *s) >>> { >>> + unsigned int mtu; >>> s->d1->timeout.num_alerts++; >>> >>> /* Reduce MTU after 2 unsuccessful retransmissions */ >>> if (s->d1->timeout.num_alerts > 2) >>> { >>> - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), >>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); >>> + mtu = BIO_ctrl(SSL_get_wbio(s), >>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); >>> + if (mtu > 0) >>> + { >>> + s->d1->mtu = mtu; >>> + } >>> } >>> >>> if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org