[openssl-dev] [openssl.org #4119] DTLS resets handshake hash too frequently for ClientHello
Matt Caswell
matt at openssl.org
Tue Nov 3 18:55:08 UTC 2015
On 03/11/15 18:28, Viktor Dukhovni wrote:
> On Tue, Nov 03, 2015 at 04:16:37PM +0000, Matt Caswell via RT wrote:
>
>> One other related point is that fragmenting ClientHellos is probably a
>> bad idea. The whole ClientHello/HelloVerifyRequest mechanism is meant to
>> be implemented without storing state on the server. That isn't possible
>> if you have to deal with fragment reassembly. In the new DTLSv1_listen
>> implementation in master we drop fragmented ClientHellos.
>
> I assume you mean fragmentation across multiple TLS record layer
> packets, not UDP fragmentation into multiple IP layer fragments...
Yes - multiple DTLS record layer packets.
>
> Presumably the kernel delivers reassembled UDP datagrams to user-land,
> so OpenSSL's DTLS never sees UDP fragmentation.
Yes.
>
> I expect that DTLS is allowed to use UDP datagrams that are larger
> than the IP MTU, but if these MUST be fragmented at TLS record
> layer instead, then client HELLO packets can't carry very large
> extensions, and in particular session tickets could run into trouble...
OpenSSL tries to keep DTLS packets within the MTU if possible. I like
David's idea of dropping non-initial ClientHello fragments and only
requiring that the cookie needed for ClientHello/HelloVerifyRequest is
kept within the initial fragment, rather than requiring that the whole
ClientHello fits into a single fragment. I'll take a look at that.
Matt
More information about the openssl-dev
mailing list