[openssl-users] How to handle DTLS Certificate Reassembly Error

Chad Phillips chad at apartmentlines.com
Sun Sep 18 17:13:40 UTC 2016


Great, thanks for this very clear description, I passed it along to the
Licode developers, and hopefully we can put this sucker to rest.

I also included your recommendation to upgrade, which is something I’ve
been bugging them to do for awhile :)

On Sun, Sep 18, 2016 at 1:37 AM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 18/09/16 01:01, Chad Phillips wrote:
> > On Sat, Sep 17, 2016 at 3:43 PM, Matt Caswell <matt at openssl.org
> > <mailto:matt at openssl.org>> wrote:
> >
> >     There is an OpenSSL API which is intended to resolve this issue:
> >
> >     DTLSv1_handle_timeout()
> >
> >     The application is expected to call this periodically during the
> >     handshake if no other data has been sent or received. The causes
> >     OpenSSL to check its timer and do any retransmits if necessary. If
> >     licode doesn’t call this, then its plausible that this is the cause
> >     of the issue.
> >
> >
> > “grep -r DTLSv1_handle_timeout .” in the Licode source directory returns
> > nothing, so we may have our culprit!
> >
> > Curious what versions of openssl support the DTLSv1_handle_timeout()
> > approach? I know the Licode guys run 1.0.1g, it would be great if a
> > single solution could be committed that was backwards compatible.
>
> Yes, DTLSv1_handle_timeout() is available in 1.0.1 as well. BTW there
> have been many DTLS bug and security fixes since 1.0.1g which is now
> quite old. The 1.0.1 series is now only receiving security fixes, and
> will go out of support completely at the end of the year. It is strongly
> recommended that they upgrade to a more recent version.
>
>
> >
> > Is there anything special I should know about how to use
> > DTLSv1_handle_timeout()? Just have it run on a timer until the handshake
> > completes? I guess I’m asking for some pre-documentation ;)
>
> Well the best way to use it is going to depend a lot on how the
> application is written. The API is fairly simple - just call
> DTLSv1_handle_timeout() periodically passing in the pointer to the SSL
> object. In our own s_server/s_client we just call it every time we go
> around the "select" loop on the socket. We ensure that the "select" call
> doesn't block indefinitely, but instead times out after the DTLS timer
> period has expired. We then call DTLSv1_handle_timeout() regardless of
> whether "select" has returned because the socket is readable, or because
> it has timed out. A (slightly modified and simplified) version of what
> we do in s_server is below:
>
>             FD_ZERO(&readfds);
>             FD_SET(s, &readfds);
>
>             if (DTLSv1_get_timeout(con, &timeout))
>                 timeoutp = &timeout;
>             else
>                 timeoutp = NULL;
>
>             i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
>
>             if (DTLSv1_handle_timeout(con) > 0) {
>                 BIO_printf(bio_err, "TIMEOUT occurred\n");
>             }
>
>             if (i <= 0)
>                 continue;
>
>             if (FD_ISSET(s, &readfds))
>                 read_from_sslcon = 1;
>
> Matt
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160918/7fc3bdc9/attachment-0001.html>


More information about the openssl-users mailing list