On Jun 3, 2012, at 11:35 PM, Oleg Moskalenko wrote: > Hi Michael > > You are right, this is SHOULD, not MUST, but still it is strongly > recommended. Hi Oleg,
my point was that the application SHOULD be able to control the sending of the DF bit, not that the DF bit always has to be set... > > My point was that, probably, OpenSSL should make the things as universally > and portable as possible... it allows setting this bit to DF for Linux, and > if FreeBSD provides the same facility, then why not use it, to make the > application code as portable as possible ? I agree, that is why we were looking into the it... > > And you are right, setting DF bit is not enough for PMTU discovery. But it > would still be nice to have. > > You mentioned a patch, where can I find it ? I guess Robin can polish it a bit and submit it to the OpenSSL maintainers for inclusion... Once it has been submitted we can also put it on our web page with the OpenSLL patches. I can drop you a note... Best regards Michael > > Thanks ! > Oleg > >> -----Original Message----- >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- >> us...@openssl.org] On Behalf Of Michael Tuexen >> Sent: Sunday, June 03, 2012 1:31 PM >> To: openssl-users@openssl.org >> Cc: Robin Seggelmann >> Subject: Re: OpenSSL port in FreeBSD: DTLS networking problem (DF bit >> not set) >> >> On Jun 3, 2012, at 7:56 PM, Oleg Moskalenko wrote: >> >>> Hi >>> >>> I am using the OpenSSL library with FreeBSD, primarily the DTLS >> functionality. Unfortunately, what I discovered, is that the DTLS >> networking requirements are implemented for Linux only in OpenSSL code. >> That code is protected by #ifdef OPENSSL_SYS_LINUX and nothing is done >> for other OSes (see the file bss_dgram.c, line 534 in OpenSSL 1.0.1c). >>> >>> For FreeBSD, that would be an easy fix - just use the socket option >> IP_DONTFRAG on IPPROTO_IP level. >>> >>> Of course, a developer can always "manually" set the DF flag on the >> UDP socket, but then the application code would not be portable. >>> >>> It can be fixed in either original OpenSSL code, or in FreeBSD "port" >> patch for OpenSSL. >>> >>> Thanks ! >>> Oleg Moskalenko >>> >>> Formal bug description: >>> >>> OpenSSL version: all versions with DTLS support. >>> OS name: FreeBSD 7.x, 8.x, 9.x >>> Compiler: any >>> Application: any DTLS application >>> Problem description: The DTLS packets do not have "Don't fragment" >> IP flag set (DF bit). According to DTLS specs, it must always be set. >> In OpenSSL code, DF bit is supported only for Linux. >> Where is it specified, that the DF bit must always be set. In >> http://tools.ietf.org/html/rfc6347 >> I only see: >> - Where allowed by the underlying transport protocol, the upper >> layer protocol SHOULD be allowed to set the state of the DF bit >> (in IPv4) or prohibit local fragmentation (in IPv6). >> The problem is that not all OSes support controlling the DF bit. >> FreeBSD >> allows it. We do have a patch, which allows controlling it on platforms >> which support it. >> >> However, providing a way to do PMTU discovery in a portable way is more >> complex... >> >> Best regards >> Michael >>> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
