[openssl-users] Query regarding DTLS handshake

Martin Brejcha martin.brejcha at mavenir.com
Thu Apr 20 13:19:00 UTC 2017 


Matt Caswell wrote on 04/20/2017 01:29 PM:
> 
> 
> On 20/04/17 12:26, mahesh gs wrote:
>> Hi Matt,
>>
>> Yes I raised github case for the same issue. I also tried running this
>> call flow with the latest SNAPSHOT code (openssl-SNAP-20170419) and
>> handshake is successful with the latest SNAPSHOT code which is not an
>> official release.
>>
>> I checked the github repo history and observer that during commits on
>> (11 th Jan) as a part of "Move state machine knowledge out of the record
>> layer".  "renegotiate" bit that is set to "2" in function
>> "tls_post_process_client_hello" has been removed. May be that is causing
>> the call flow to be successful in the latest SNAPSHOT release.
>>
>> I am assuming commits that are done on 11th Jan or later are not part of
>> release openssl 01.01.00e
> 
> Ah. No. That commit is in the dev branch only (scheduled for version
> 1.1.1) and won't be backported to the 1.1.0 branch. I can see why that
> commit might help things, but probably a different solution is more
> appropriate for 1.1.0.
> 
> I'm looking at this issue at the moment.
> 
> Matt
> 

hi,

btw: I've tested similar scenario and handshake works fine.
test env: client and server on different VMs (rhel7.2, openssl 1.1.0e, non-blocking sockets and segmented certificate)
So, it should work also with 1.1.0e version.

Martin


>>
>>
>> Thanks,
>> Mahesh G S 
>>
>> On Wed, Apr 19, 2017 at 6:56 PM, Matt Caswell <matt at openssl.org
>> <mailto:matt at openssl.org>> wrote:
>>
>>     For those following this discussion Mahesh has created a github issue
>>     with much more detail (at least I am assuming this is the same issue):
>>
>>     https://github.com/openssl/openssl/issues/3251
>>     <https://github.com/openssl/openssl/issues/3251>
>>
>>     Matt
>>
>>
>>     On 18/04/17 21:17, Michael Tuexen wrote:
>>     >> On 13. Apr 2017, at 11:11, mahesh gs <mahesh116 at gmail.com
>>     <mailto:mahesh116 at gmail.com>> wrote:
>>     >>
>>     >> Hi,
>>     >>
>>     >> We are running SCTP connections with DTLS enabled in our
>>     application. We have adapted openssl version (openssl-1.1.0e) to
>>     achieve the same.
>>     >>
>>     >> We have generated the self signed root and node certificates for
>>     testing. We have a strange problem with the incomplete DTLS
>>     handshake if we run the DTLS client and DTLS server is different
>>     systems.If we run the DTLS client and server in same system
>>     handshake is successful, handshake is not successful if run client
>>     and server in different VM's.
>>     >>
>>     >> This strange problem happens only for SCTP/DTLS connection. With
>>     the same set of certificates TCP/TLS connection is successful and we
>>     are able to exchange the application data.
>>     >>
>>     >> I am attaching the code bits for SSL_accept and SSL_connect and
>>     also the wireshark trace of unsuccessful handshake. Please assist me
>>     to debug this problem.
>>     >>
>>     >> SSL_accept returns  SSL_ERROR_WANT_READ(2) infinite times but
>>     SSL_connect is called 4 or 5 times and select system call timeout.
>>     > Which OS are you using? With a test program I could reproduce
>>     SSL_accept() returning SSL_ERROR_WANT_READ under FreeBSD,
>>     > but not under Linux. Haven't figured out what the problem is. So
>>     if you are using FreeBSD we might experience the same problem...
>>     >
>>     > Best regards
>>     > Michael
>>     >>
>>     >> Thanks,
>>     >> Mahesh G S
>>     >>
>>     >>
>>     >> <testcode.txt><proxy.cap>--
>>     >> openssl-users mailing list
>>     >> To unsubscribe:
>>     https://mta.openssl.org/mailman/listinfo/openssl-users
>>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
>>     >
>>     --
>>     openssl-users mailing list
>>     To unsubscribe:
>>     https://mta.openssl.org/mailman/listinfo/openssl-users
>>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
>>
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB42AB632.asc
Type: application/pgp-keys
Size: 3086 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170420/76ce6a3f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170420/76ce6a3f/attachment-0001.sig>

More information about the openssl-users mailing list