<div dir="ltr"><div class="gmail_quote"><br><div dir="ltr">Hi All,<div><br></div><div>Below is our scenario on DTLS.</div><div><br></div><div>We have multiple connections to the same server. We have mapped one fd to the ssl in the server to receive all connections.</div><div><br></div><div>Whenever a connect is initiated from any client we need to know if it is already connected client or a new client. We are doing this by </div><div><ul><li>creating bio/ssl each time a polling happens on the server fd<br></li><li>fetching the peer using BIO_dgram_get_peer after ssl_accept <br></li><li>Comparing it to the internally maintained list of peer<br></li><li>If it is a new peer we continue with handshake but if it is old peer we do the ssl_read.</li></ul><div>The problem is that there are 2 bio/ssl that gets created for the same fd(when there are 2 clients) and the peer end up writing to latest of them and we don't get the message on the intended ssl.</div></div><div>Hence we are checking for a way to detach and remove the ssl/bio that gets created in already connected cases.</div><div><br></div><div>Any help is appreciated.</div><div><br></div><div>Any APIs available to close up the 2nd ssl associated with the fd. ssl_clear and ssl_free does not work.</div><div><br></div><div>Thanks,</div><div>Grace</div><div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Jan 11, 2018 at 6:30 PM, Michael Richardson <span dir="ltr"><<a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5"><span class="m_4465844070281978406gmail-"><br>
Grace Priscilla Jero <<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail.com</a>> wrote:<br>
> We are having a scenario wherein we are having 2 BIOs for DTLS<br>
> attached to the same fd. Each BIO has a different SSL associated with<br>
> it. The messages are getting written to different BIO each time and we<br>
> are trying to resolve it.<br>
<br>
> Is there a API or any way to detach one of the BIO/SSL from the fd for<br>
> DTLS?<br>
<br>
</span>No. How did you get into that situation in the first place?<br>
My belief is that the DTLS API is suitable for (Secure)RTP only, and not for<br>
CoAP-type usage. (or other DTLS server end-point usage)<br>
<br>
According to some source code comments, you should have called connect() on<br>
the socket after the first connection was received, and then (or<br>
previously... there are race conditions either way), opened a new<br>
socket.<br>
<br>
I ran into this, and I wound up creating a new API, which is in a pull<br>
request:<br>
<a href="https://github.com/openssl/openssl/pull/5024" rel="noreferrer" target="_blank">https://github.com/openssl/ope<wbr>nssl/pull/5024</a><br>
<a href="https://github.com/mcr/openssl/tree/dtls-listen-refactor" rel="noreferrer" target="_blank">https://github.com/mcr/openssl<wbr>/tree/dtls-listen-refactor</a><br>
<br>
Sadly, the new test case I wrote is not running consistently, which I'm still<br>
debugging.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | network architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
<br></div></div><span class="">--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailma<wbr>n/listinfo/openssl-users</a><br>
<br></span></blockquote></div><br></div></div></div>
</div><br></div>