On Jul 24, 2011, at 12:40 AM, com...@gmx.ch wrote: > Hi, > > > I got some code which uses nonblocking dtls via self fed bios. > If a unknown session comes up, I create a new session, feed/drain the > sessions bios from/to the wire until SSL_accept returns success. > > Now, I added DTLS cookies. > I expected SSL_accept to return an error if a ClientHello packet is received > without the cookie, so I could free the resources for the session and wait > for the remote to resent its ClientHello with the cookie, so I can allocate > the resources for a new session again and finally complete the handshake. > > Turns out SSL_accept silently accepts a ClientHello without cookie, for > packets without a cookie, the cookie verify callback is not called too, so I > can't free any resources. You are supposed to call DTLSv1_listen() to handle the front state... > The timers do not help me either, as I'd have to keep state for the timers. > This basically renders the whole idea of DTLS cookies useless. > > ssl3_get_client_hello returns 1 for packets without cookie - if a cookie is > requested, but dtls1_accept does not propagate this in any way I could use. > > Therefore my question, what is the proposed way to free resources until a > ClientHello packet with valid cookie arrives? You don't need to free anything. Use the listen for front state handling. > > I think it might be best to change SSL_accept to return SSL_ERROR_SSL for > ClientHello packets without cookie - if a cookie is requested. > This would allow to free up resources of sessions created by received > ClientHello packets without cookie. > > > I mainly use openssl 0.9.8o, but verified the problem exists in 1.x too. Robin is always suggesting to use 1.0.0 ...
Best regards Michael > > > MfG > Markus > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
