On Wed, 2016-10-05 at 21:31 +0100, Matt Caswell wrote: > > > On 05/10/16 15:37, David Woodhouse wrote: > > DTLS_set_link_mtu(vpninfo->dtls_ssl, mtu); > > > > /* We already set the link MTU, but hopefully by the time we > > * finish it, this function will be better at working out the > > * actual tunnel MTU than OpenSSL is. So do that too... */ > > SSL_set_mtu(vpninfo->dtls_ssl, tun_mtu); > > This is pointless. The link mtu setting will take precedence.
Hm, thanks. It's also wrong. There are *three* MTU values, and I had conflated them. Firstly there is the the link MTU (d1->link_mtu, e.g. 1500). Secondly there is the DTLS record MTU without the IP/UDP overhead (d1->mtu, e.g. 1472). Finally there's the one I need to find, the data payload MTU (with AES128-GCM e.g. 1434). The code you saw was using DTLS_set_link_mtu(1472) where it should be using SSL_set_mtu(1472). I shouldn't be calling DTLS_set_link_mtu() at all. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
