On 01/06/16 11:15, Alfred E. Heggestad wrote:
> hi,
>
> we are using DTLS from OpenSSL to implement DTLS-SRTP in our
> product (Wire.com) .. The code and implementation works really well
> and is very robust. We are using OpenSSL version 1.0.2g
>
>
> since our product is deployed globally on mobile data networks,
> we have quite variable latency and packetloss. The patch below
> shows my working code, it has an initial retransmit timeout
> of 400 ms which is incrementing by 10% for every re-trans.
>
>
> obviously this patch cannot make it into the official tree.
>
>
> but I would like to discuss with you guys the option to
> add some kind of API for:
>
> - Setting the initial RTO for DTLS (in milliseconds).
> - Setting the retransmit policy for DTLS, i.e. should it
> double or increment by X for every re-trans.
I think an API for that would be a great idea. Perhaps a callback could
be used so that you can set exactly the policy you want?
>
>
> in addition we have seen the code hit this assert
> in production:
>
>
> /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever get here */
>
>
> so I would say it should be safe to remove it.
Hmmmmm....the question is why does it get there? It shouldn't.
Matt
>
>
>
>
> Best Regards,
>
> Alfred E. Heggestad
> Berlin
>
>
>
> --
>
> diff -Naur openssl-1.0.2g/ssl/d1_lib.c openssl/ssl/d1_lib.c
> --- openssl-1.0.2g/ssl/d1_lib.c 2016-03-01 14:35:53.000000000 +0100
> +++ openssl/ssl/d1_lib.c 2016-06-01 10:45:27.000000000 +0200
> @@ -359,6 +359,8 @@
>
> void dtls1_start_timer(SSL *s)
> {
> + struct timeval diff;
> +
> #ifndef OPENSSL_NO_SCTP
> /* Disable timer for SCTP */
> if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
> @@ -369,14 +371,17 @@
>
> /* If timer is not set, initialize duration with 1 second */
> if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec
> == 0) {
> - s->d1->timeout_duration = 1;
> + s->d1->timeout_duration = 0.400;
> }
>
> /* Set timeout to current time */
> get_current_time(&(s->d1->next_timeout));
>
> /* Add duration to current time */
> - s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
> + diff.tv_sec = 0;
> + diff.tv_usec = 1000000*s->d1->timeout_duration;
> + timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout);
> +
> BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
> &(s->d1->next_timeout));
> }
> @@ -441,7 +446,7 @@
>
> void dtls1_double_timeout(SSL *s)
> {
> - s->d1->timeout_duration *= 2;
> + s->d1->timeout_duration *= 1.10;
> if (s->d1->timeout_duration > 60)
> s->d1->timeout_duration = 60;
> dtls1_start_timer(s);
> diff -Naur openssl-1.0.2g/ssl/d1_pkt.c openssl/ssl/d1_pkt.c
> --- openssl-1.0.2g/ssl/d1_pkt.c 2016-03-01 14:35:53.000000000 +0100
> +++ openssl/ssl/d1_pkt.c 2016-03-08 14:39:44.000000000 +0100
> @@ -1502,7 +1502,7 @@
> * will happen with non blocking IO
> */
> if (s->s3->wbuf.left != 0) {
> - OPENSSL_assert(0); /* XDTLS: want to see if we ever get
> here */
> + /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever
> get here */
> return (ssl3_write_pending(s, type, buf, len));
> }
>
> diff -Naur openssl-1.0.2g/ssl/dtls1.h openssl/ssl/dtls1.h
> --- openssl-1.0.2g/ssl/dtls1.h 2016-03-01 14:35:53.000000000 +0100
> +++ openssl/ssl/dtls1.h 2016-03-08 14:39:44.000000000 +0100
> @@ -225,8 +225,8 @@
> * Indicates when the last handshake msg or heartbeat sent will
> timeout
> */
> struct timeval next_timeout;
> - /* Timeout duration */
> - unsigned short timeout_duration;
> + /* Timeout duration in Seconds */
> + double timeout_duration;
> /*
> * storage for Alert/Handshake protocol data received but not yet
> * processed by ssl3_read_bytes:
>
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
