<div dir="ltr"><div class="gmail_quote"><br><div dir="ltr">Hi Michael,<div> <div> Please ignore the previous mail. By mistankely it got sent.<div> I have provided my comments below.</div><div><br></div><div>Thanks in advance.</div><div>Regards,</div><div>Nivedita<br><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Feb 14, 2018 at 10:22 AM, Nivedita <span dir="ltr"><<a href="mailto:maddi.nivedita@gmail.com" target="_blank">maddi.nivedita@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Michael,<div><br></div><div>Thanks for the reply.</div><div><br></div><div>I have mentioned the answers below. </div></div></blockquote><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_-1344953434953853297gmail-h5">On Wed, Feb 14, 2018 at 12:21 AM, Michael Richardson <span dir="ltr"><<a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Michael Richardson <<a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] DTLS over UDP<br>
In-Reply-To: <CACS8YK320Z=<a href="mailto:E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ@mail.gmail.com" target="_blank">E8wc7YBt6hC0jQ7i6<wbr>kzLMECFyL0SO23AznnscrQ@mail.gm<wbr>ail.com</a>><br>
References: <CACS8YK320Z=<a href="mailto:E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ@mail.gmail.com" target="_blank">E8wc7YBt6hC0jQ7i6<wbr>kzLMECFyL0SO23AznnscrQ@mail.gm<wbr>ail.com</a>><br>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1<br>
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}<wbr>5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0<wbr>;<'$9xN5Ub#<br>
z!G,p`nR&p7Fz@^UXIn156S8.~^@M<wbr>J*mMsD7=QFeq%AL4m<nPbLgmtKK-5d<wbr>C@#:k<br>
MIME-Version: 1.0<br>
Content-Type: multipart/signed; boundary="=-=-=";<br>
micalg=pgp-sha256; protocol="application/pgp-sign<wbr>ature"<br>
Date: Tue, 13 Feb 2018 13:51:10 -0500<br>
Message-ID: <<a href="mailto:10616.1518547870@obiwan.sandelman.ca" target="_blank">10616.1518547870@obiwan.sande<wbr>lman.ca</a>><br>
<br>
--=-=-=<br>
Content-Type: text/plain<br>
<br>
<br>
Nivedita <<a href="mailto:maddi.nivedita@gmail.com" target="_blank">maddi.nivedita@gmail.com</a>> wrote:<br>
> I am trying to establish DTLS over UDP connection by using<br>
> DTLSv1_listen method .<br>
<br>
> I have followed the below steps - 1. Created a server socket and using<br>
> this socket created bio and ssl object. bio =<br>
> BIO_new_dgram(VI_sock,BIO_NOCL<wbr>OSE)) SSL_set_bio(ssl,VP_bio,VP_bio)<wbr>;<br>
<br>
> 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,<br>
> SSL_OP_COOKIE_EXCHANGE);<br>
<br>
> 3. Then started listening using dtlsv1_listen for the new client<br>
> connections. Once dtlsv1_listen is successful and i got the peer<br>
> address.<br>
<br>
okay.<br></blockquote></div></div></div></div></div></div></blockquote></div></div><div> Nivedita- Here the ssl object is created on the server socket and same ssl is passed to dtlsv1_listen method. </div><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><div><div class="m_-1344953434953853297gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"></blockquote><div><br></div></div></div><div> Nivedita- All the above mentioned steps i am doing on server side . On the client side i have already initiated ssl_connect. </div><div> On the server side when i am listening using dtlsv1_listen method -</div></div></div></div></div></blockquote><div> </div></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="m_-1344953434953853297gmail-h5"><div> while ( VI_res= DTLSv1_listen(VP_ssl, &VS_client_addr) <= 0);</div></div></div></div></div></blockquote><div> Now i got the client_addr from dtlsv1_listen method. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="m_-1344953434953853297gmail-h5"><div><span style="white-space:pre-wrap"> </span> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> 4. Once i got the client address , i am creating one new socket<br>
> 5. With the new socket i tried to connect to client address.<span class=""><br>
<br>
Do you mean, you call "SSL_connect()"?<br>
Or do you mean you bind(2) and connect(2) the socket.<br></span></blockquote></div></div></div></div></blockquote><div><br></div><div> Nivedita- Once i got the client address from dtlsv1_listen, i am creating one more socket , tried to connect the client address, which i have got in dtlsv1_listen method</div><div><br></div><div> Vi_res= connect(new sockid, client_addr, sizeof (client addr));</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="m_-1344953434953853297gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> 6. Then i am trying to do ssl_accept on the new socket by calling<br>
> bio_set_fd.<br>
<br>
> BIO_set_fd(SSL_get_rbio(ssl),V<wbr>I_new_sock_id,BIO_NOCLOSE);<br>
<br>
> BIO_ctrl(SSL_get_rbio(VP_ssl),<wbr>BIO_CTRL_DGRAM_SET_CONNECTED, 0,<br>
> &client_addr);<br>
<br>
> SSL_set_fd(ssl,VI_newsock_id);<br>
<br>
So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect<br>
of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of<br>
the existing BIO, I think you can omit that line.<br>
<br></blockquote></div></div></div></div></blockquote></span><div> Nivedita - I have removed SSL_set _fd and tried by doing BIO_set_fd and Bio_ctrl, but still ssl_accept always returns -1 and with error code of 2.</div><div><br></div><div> VI_res = BIO_set_fd(SSL_get_rbio(VP_<wbr>ssl),VI_new_sock_id,BIO_<wbr>NOCLOSE);</div><div> VI_res = BIO_ctrl(SSL_get_rbio(VP_ssl),<wbr>BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr); </div><div> </div><div> SSL_set_accept_state(VP_ssl);<wbr> </div><div>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">VI_res = SSL_accept(ssl);</span>
</div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> This ssl object is the same one which we have passed in dtlsv1_listen method. Actually i am trying to do the ssl_accept on the different socket for every client, even though </span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> dtlsv1_listen happens on server socket. Could you please let me know if it is possible.</span></div><span class=""><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="m_-1344953434953853297gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> VI_res = SSL_accept(ssl);<br>
<br>
> But ssl_accept will always return error code 2 [ i.e want read or want<br>
> write]<br>
<br>
> But if i am doing ssl_accept without doing the step no 6 it it will be<br>
> successful.<br>
<br>
Yes.<br>
<br>
> Could someone please let us know how to switch to newly created socket,<br>
> so that it can start using newly created socket for further read and<br>
> write operations and original server socket will keep on listening for<br>
> new connections.<br>
<br>
Do you expect additional connections on the existing socket?<br>
I've been working on some new API to make this all easier.<br>
<br></blockquote></div></div></div></div></blockquote></span><div> Nivedita - Yes, we have multiple peers which try to connect to same server,so in that case i need different sockets for listening operations and one for read/write operations [one for client]</div><span class=""><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="m_-1344953434953853297gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Your method may fail if you have bound your "listen" to :: (0.0.0.0),<br>
and you have multiple IPs. In my case, I expect connections over IPv6 LL<br>
addresses, and there are always multiple of those, and ifindex issues as well.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | network architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
<br>
--=-=-=<br>
Content-Type: application/pgp-signature; name="signature.asc"<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQEzBAEBCAAdFiEEbsyLEzg/qUTA43<wbr>uogItw+93Q3WUFAlqDM54ACgkQgItw<wbr>+93Q<br>
3WW8Lgf7BwdHZbo22nUphMoVOgBek6<wbr>qciLPJsa7ggwx6y/pP6kvQX/3bMn4f<wbr>Cx8t<br>
1H/LaTX2xgw8Incz/8RL4kkhfziDYU<wbr>QJ5oe4cd4b4KIQuTLRLVELFw5RbNX4<wbr>hmvx<br>
tGd+KK2LMshcw/0+d/pAVtJpUdriHx<wbr>KtMa3OQ7Tc+Lnqm338FRIhhqxi9/7I<wbr>ljW+<br>
KA+vYcsCcLIpnlHfB5JfKR0N9S2ga7<wbr>cUPCi4u/PRAZqTXuet4IPqxJLDVuNw<wbr>CH8/<br>
sbh/yYhFGSPOQG/c0ZaE1TDkcwYeE/<wbr>lpcofkRdi+FNgBlUtZd9XGag5BW/lA<wbr>3Rd7<br>
IOCLfEDZENxWk2ki+PhDFwam5QO/Vw<wbr>==<br>
=v5TB<br>
-----END PGP SIGNATURE-----<br>
--=-=-=--<br>
</blockquote></div></div><br><br></div></div>
</blockquote></span></div><br></div></div></div></div></div>
</div><br></div>