<div dir="ltr">Great, thanks for this very clear description, I passed it along to the Licode developers, and hopefully we can put this sucker to rest.<div><br></div><div>I also included your recommendation to upgrade, which is something I’ve been bugging them to do for awhile :)<br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 18, 2016 at 1:37 AM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 18/09/16 01:01, Chad Phillips wrote:<br>
> On Sat, Sep 17, 2016 at 3:43 PM, Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a><br>
</span><span class="">> <mailto:<a href="mailto:matt@openssl.org">matt@openssl.org</a>>> wrote:<br>
><br>
> There is an OpenSSL API which is intended to resolve this issue:<br>
><br>
> DTLSv1_handle_timeout()<br>
><br>
> The application is expected to call this periodically during the<br>
> handshake if no other data has been sent or received. The causes<br>
> OpenSSL to check its timer and do any retransmits if necessary. If<br>
> licode doesn’t call this, then its plausible that this is the cause<br>
> of the issue.<br>
><br>
><br>
> “grep -r DTLSv1_handle_timeout .” in the Licode source directory returns<br>
> nothing, so we may have our culprit!<br>
><br>
> Curious what versions of openssl support the DTLSv1_handle_timeout()<br>
> approach? I know the Licode guys run 1.0.1g, it would be great if a<br>
> single solution could be committed that was backwards compatible.<br>
<br>
</span>Yes, DTLSv1_handle_timeout() is available in 1.0.1 as well. BTW there<br>
have been many DTLS bug and security fixes since 1.0.1g which is now<br>
quite old. The 1.0.1 series is now only receiving security fixes, and<br>
will go out of support completely at the end of the year. It is strongly<br>
recommended that they upgrade to a more recent version.<br>
<span class=""><br>
<br>
><br>
> Is there anything special I should know about how to use<br>
> DTLSv1_handle_timeout()? Just have it run on a timer until the handshake<br>
> completes? I guess I’m asking for some pre-documentation ;)<br>
<br>
</span>Well the best way to use it is going to depend a lot on how the<br>
application is written. The API is fairly simple - just call<br>
DTLSv1_handle_timeout() periodically passing in the pointer to the SSL<br>
object. In our own s_server/s_client we just call it every time we go<br>
around the "select" loop on the socket. We ensure that the "select" call<br>
doesn't block indefinitely, but instead times out after the DTLS timer<br>
period has expired. We then call DTLSv1_handle_timeout() regardless of<br>
whether "select" has returned because the socket is readable, or because<br>
it has timed out. A (slightly modified and simplified) version of what<br>
we do in s_server is below:<br>
<br>
FD_ZERO(&readfds);<br>
FD_SET(s, &readfds);<br>
<br>
if (DTLSv1_get_timeout(con, &timeout))<br>
timeoutp = &timeout;<br>
else<br>
timeoutp = NULL;<br>
<br>
i = select(width, (void *)&readfds, NULL, NULL, timeoutp);<br>
<br>
if (DTLSv1_handle_timeout(con) > 0) {<br>
BIO_printf(bio_err, "TIMEOUT occurred\n");<br>
}<br>
<br>
if (i <= 0)<br>
continue;<br>
<br>
if (FD_ISSET(s, &readfds))<br>
read_from_sslcon = 1;<br>
<div class="HOEnZb"><div class="h5"><br>
Matt<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div></div>