Resetting DTLS server
Michael Richardson
mcr at sandelman.ca
Tue Nov 12 14:05:38 UTC 2019
On 2019-11-12 9:30 p.m., Patrick Herbst wrote:
> On Tue, Nov 12, 2019 at 3:00 AM Michael Richardson <mcr at sandelman.ca> wrote:
>> Close the UDP socket on the client and open a new one to get a new
>> source port.
>> Does that work? I'm not terribly happy with this solution, but it does
>> match what TCP would do.
>>
> In general, here is what i do (assuming only 1 client for proof of
> concept, and skipping some mundane steps)
> also assuming the client is using the same addr/port, so "connect"
> would not make a difference.
so you are showing me your server code, correct, and this is for DTLS,
right?
Do you call DTLSv1_accept()?
You don't seem to be creating a new socket anywhere, or calling
connect() on this socket.
I'm not sure I understand your comment above about connect would not be
a difference.
If your DGRAM socket is not connected, how can you send packets back?
It would be nice
if DTLS code would store the origin of every packet and demux it into
multiple SSL*, but it doesn't work that way.
>
> s=socket(AF_INET, SOCK_DGRAM, 0);
> bind(s, &serverAddr, sizeof(serverAddr));
> ssl=SSL_new(ctx);
> bio=BIO_new_dgram(s, BIO_NOCLOSE);
> SSL_accept(ssl);
>
> while (1) {
> select(FD_SETSIZE, fds, NULL, NULL, NULL);
> if (FD_ISSET(s)) {
> n=SSL_read(ssl, buffer, sizeof(buffer));
> if (n>0) {
> printf("rx: %s\n", buffer);
> } else {
> printf("bad things\n");
> }
> }
> }
>
> What happens is form the Server standpoint, it doesn't know when a
> client restarts. When the client does restart, the server blocks on
> SSL_read while the internals of the library keep reading packets until
> it gets app data... so it ignores another clienthello, but doesn't
> notify the server of that condition.
>
> am i missing something? is this worth fixing in the library? is this
> intended behavior?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191112/b094dc8d/attachment-0001.sig>
More information about the openssl-users
mailing list