[openssl-users] DTLS and packet loss

Alfred E. Heggestad aeh at db.org
Tue Jun 2 08:58:41 UTC 2015


On 01/06/15 16:29, Matt Caswell wrote:
>
>
> On 01/06/15 12:52, Alfred E. Heggestad wrote:
>> Hey Matt,
>>
>>
>> openssl version 1.0.2a on both sides (Client and Server)
>>
>>
>>> Are you also running OpenSSL on the server side (and if so which version
>>> there)?
>>>
>>> The error message suggests that the NewSessionTicket message that has
>>> been received by the client is incorrectly formatted.
>>>
>>> A packet capture for a problem handshake might help diagnose the problem
>>> further.
>>>
>>
>> please see the attached PCAP file, in this case Packet #4 is dropped
>> internally
>> in the software (to simulate Packet-loss).
>>
>>
>>
>> that test-code has the following option set, to avoid fragmentation:
>>
>>      SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU);
>>      DTLS_set_link_mtu(tc->ssl, 1480);
>>
>>
>> please note that dropping Packet #1, #2 and #3 works as expected.
>> but dropping the final packet (packet #4) does not work.
>
> Thanks - I've figured it out. This is a manifestation of a known issue
> with retransmits in 1.0.2a. It will be fixed in 1.0.2b. I have attached
> a patch for 1.0.2a which should solve your problems for now.
>
> The relevant 1.0.2 commits that fix this are here:
> https://github.com/openssl/openssl/commit/a20718fa2c0a45e6acb975cf6c0438c3ebd45b13
>
> and here:
> https://github.com/openssl/openssl/commit/4285b851637a3da8bd6e96848f0deffb6be5e626
>
>

Matt,

thank you for the fast response and patches :)


I can confirm that 1.0.2a + patches above fixes the DTLS packet-loss issue.


keep up the good work guys!




/alfred


More information about the openssl-users mailing list