[openssl-users] DTLS over UDP

Michael Richardson mcr at sandelman.ca
Tue Feb 13 18:51:10 UTC 2018


Nivedita <maddi.nivedita at gmail.com> wrote:
    > I am trying to establish DTLS over UDP connection by using
    > DTLSv1_listen method .

    > I have followed the below steps - 1. Created a server socket and using
    > this socket created bio and ssl object.  bio =
    > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);

    > 2. Enable cookie exchange on SSL object.  SSL_set_options(ssl,
    > SSL_OP_COOKIE_EXCHANGE);

    > 3. Then started listening using dtlsv1_listen for the new client
    > connections.  Once dtlsv1_listen is successful and i got the peer
    > address.

okay.

    > 4. Once i got the peer address , i am creating one more socket
    > 5. With the new socket i tried to connect to peer address.

Do you mean, you call "SSL_connect()"?
Or do you mean you bind(2) and connect(2) the socket.

    > 6. Then i am trying to do ssl_accept on the new socket by calling
    > bio_set_fd.

    > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

    > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
    > &client_addr);

    > SSL_set_fd(ssl,VI_newsock_id);

So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
of calling BIO_CRTL_DGRAM_SET_CONNECTED.  Since you have set the fd of
the existing BIO, I think you can omit that line.


    > VI_res = SSL_accept(ssl);

    > But ssl_accept will always return error code 2 [ i.e want read or want
    > write]

    > But if i am doing ssl_accept without doing the step no 6 it it will be
    > successful.

Yes.

    > Could someone please let us know how to switch to newly created socket,
    > so that it can start using newly created socket for further read and
    > write operations and original server socket will keep on listening for
    > new connections.

Do you expect additional connections on the existing socket?
I've been working on some new API to make this all easier.

Your method may fail if you have bound your "listen" to :: (0.0.0.0),
and you have multiple IPs.  In my case, I expect connections over IPv6 LL
addresses, and there are always multiple of those, and ifindex issues as well.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180213/68f6b7a2/attachment-0001.sig>


More information about the openssl-users mailing list