On Tue, Nov 03, 2015 at 04:16:37PM +0000, Matt Caswell via RT wrote: > One other related point is that fragmenting ClientHellos is probably a > bad idea. The whole ClientHello/HelloVerifyRequest mechanism is meant to > be implemented without storing state on the server. That isn't possible > if you have to deal with fragment reassembly. In the new DTLSv1_listen > implementation in master we drop fragmented ClientHellos.
I assume you mean fragmentation across multiple TLS record layer packets, not UDP fragmentation into multiple IP layer fragments... Presumably the kernel delivers reassembled UDP datagrams to user-land, so OpenSSL's DTLS never sees UDP fragmentation. I expect that DTLS is allowed to use UDP datagrams that are larger than the IP MTU, but if these MUST be fragmented at TLS record layer instead, then client HELLO packets can't carry very large extensions, and in particular session tickets could run into trouble... I don't know whether the code that inserts the TLS padding extension is common to the TLS and DTLS code paths, ideally DTLS should at least avoid bloat from the padding extension. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev