On 03/11/15 18:28, Viktor Dukhovni wrote: > On Tue, Nov 03, 2015 at 04:16:37PM +0000, Matt Caswell via RT wrote: > >> One other related point is that fragmenting ClientHellos is probably a >> bad idea. The whole ClientHello/HelloVerifyRequest mechanism is meant to >> be implemented without storing state on the server. That isn't possible >> if you have to deal with fragment reassembly. In the new DTLSv1_listen >> implementation in master we drop fragmented ClientHellos. > > I assume you mean fragmentation across multiple TLS record layer > packets, not UDP fragmentation into multiple IP layer fragments...
Yes - multiple DTLS record layer packets. > > Presumably the kernel delivers reassembled UDP datagrams to user-land, > so OpenSSL's DTLS never sees UDP fragmentation. Yes. > > I expect that DTLS is allowed to use UDP datagrams that are larger > than the IP MTU, but if these MUST be fragmented at TLS record > layer instead, then client HELLO packets can't carry very large > extensions, and in particular session tickets could run into trouble... OpenSSL tries to keep DTLS packets within the MTU if possible. I like David's idea of dropping non-initial ClientHello fragments and only requiring that the cookie needed for ClientHello/HelloVerifyRequest is kept within the initial fragment, rather than requiring that the whole ClientHello fits into a single fragment. I'll take a look at that. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev