[openssl-users] DTLS-over-UDP client example

[aleksandr.derevianko at btsignal.ru]

Hello !

17.09.2018, 16:26, "Richard Weinberger" <richard.weinberger at gmail.com>:
> On Thu, Sep 13, 2018 at 3:51 PM <aleksandr.derevianko at btsignal.ru> wrote:
>>  I tryed to dig inside openssl s_client source code, but it's really too complex for me, it seems like s_client doesn't use
>>  SSL_connect, instead, using more low-level functions.
>>
>>  So, does anybody have any simple client-side implementation of DTLS over UDP connection?
>
> https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
> ... is a good example.

Unfortunelly, it's exactly this example which I use. You have pointed on slightly different version,
but all difference is: 

	SSL_CTX_set_cookie_verify_cb(ctx, &verify_cookie);
instead of 
	SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);

	ctx = SSL_CTX_new(DTLS_client_method());
instead of 
    ctx = SSL_CTX_new(DTLSv1_client_method());


I have tryed it, works exactly the same.

In both versions, on client side cipher_list is:
	SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");

With such list it works, but without encoding (data send in cleartext, connection established as  Cipher: NULL-SHA)

and if I remove eNULL on client side, it doesn't connect - server wait repeat of client cookue forever. 

At the same time,  "openssl s_client -dtls1   ..." connects fine, with Cipher: AES256-SHA

>
> In case you are on 1.1.x, please also see:
> https://mta.openssl.org/pipermail/openssl-users/2018-August/008498.html
>
> OpenSSL badly regressed in 1.1.x wrt. DTLS.
>

Actually, I use openssl-1.0.2o_2,1
Also, this "regression" is for multy-threaded server, not for single-threaded client.


-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755