Hi I am using the OpenSSL library with FreeBSD, primarily the DTLS functionality. Unfortunately, what I discovered, is that the DTLS networking requirements are implemented for Linux only in OpenSSL code. That code is protected by #ifdef OPENSSL_SYS_LINUX and nothing is done for other OSes (see the file bss_dgram.c, line 534 in OpenSSL 1.0.1c).
For FreeBSD, that would be an easy fix - just use the socket option IP_DONTFRAG on IPPROTO_IP level. Of course, a developer can always "manually" set the DF flag on the UDP socket, but then the application code would not be portable. It can be fixed in either original OpenSSL code, or in FreeBSD "port" patch for OpenSSL. Thanks ! Oleg Moskalenko Formal bug description: OpenSSL version: all versions with DTLS support. OS name: FreeBSD 7.x, 8.x, 9.x Compiler: any Application: any DTLS application Problem description: The DTLS packets do not have "Don't fragment" IP flag set (DF bit). According to DTLS specs, it must always be set. In OpenSSL code, DF bit is supported only for Linux.
