Hi,
I got some code which uses nonblocking dtls via self fed bios.
If a unknown session comes up, I create a new session, feed/drain the
sessions bios from/to the wire until SSL_accept returns success.
Now, I added DTLS cookies.
I expected SSL_accept to return an error if a ClientHello packet is
received without the cookie, so I could free the resources for the
session and wait for the remote to resent its ClientHello with the
cookie, so I can allocate the resources for a new session again and
finally complete the handshake.
Turns out SSL_accept silently accepts a ClientHello without cookie, for
packets without a cookie, the cookie verify callback is not called too,
so I can't free any resources.
The timers do not help me either, as I'd have to keep state for the timers.
This basically renders the whole idea of DTLS cookies useless.
ssl3_get_client_hello returns 1 for packets without cookie - if a cookie
is requested, but dtls1_accept does not propagate this in any way I
could use.
Therefore my question, what is the proposed way to free resources until
a ClientHello packet with valid cookie arrives?
I think it might be best to change SSL_accept to return SSL_ERROR_SSL
for ClientHello packets without cookie - if a cookie is requested.
This would allow to free up resources of sessions created by received
ClientHello packets without cookie.
I mainly use openssl 0.9.8o, but verified the problem exists in 1.x too.
MfG
Markus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org