[openssl-dev] DTLS retransmission api
Alfred E. Heggestad
aeh at db.org
Wed Jun 1 10:15:29 UTC 2016
hi,
we are using DTLS from OpenSSL to implement DTLS-SRTP in our
product (Wire.com) .. The code and implementation works really well
and is very robust. We are using OpenSSL version 1.0.2g
since our product is deployed globally on mobile data networks,
we have quite variable latency and packetloss. The patch below
shows my working code, it has an initial retransmit timeout
of 400 ms which is incrementing by 10% for every re-trans.
obviously this patch cannot make it into the official tree.
but I would like to discuss with you guys the option to
add some kind of API for:
- Setting the initial RTO for DTLS (in milliseconds).
- Setting the retransmit policy for DTLS, i.e. should it
double or increment by X for every re-trans.
in addition we have seen the code hit this assert
in production:
/*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever get here */
so I would say it should be safe to remove it.
Best Regards,
Alfred E. Heggestad
Berlin
--
diff -Naur openssl-1.0.2g/ssl/d1_lib.c openssl/ssl/d1_lib.c
--- openssl-1.0.2g/ssl/d1_lib.c 2016-03-01 14:35:53.000000000 +0100
+++ openssl/ssl/d1_lib.c 2016-06-01 10:45:27.000000000 +0200
@@ -359,6 +359,8 @@
void dtls1_start_timer(SSL *s)
{
+ struct timeval diff;
+
#ifndef OPENSSL_NO_SCTP
/* Disable timer for SCTP */
if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
@@ -369,14 +371,17 @@
/* If timer is not set, initialize duration with 1 second */
if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
- s->d1->timeout_duration = 1;
+ s->d1->timeout_duration = 0.400;
}
/* Set timeout to current time */
get_current_time(&(s->d1->next_timeout));
/* Add duration to current time */
- s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
+ diff.tv_sec = 0;
+ diff.tv_usec = 1000000*s->d1->timeout_duration;
+ timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout);
+
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
&(s->d1->next_timeout));
}
@@ -441,7 +446,7 @@
void dtls1_double_timeout(SSL *s)
{
- s->d1->timeout_duration *= 2;
+ s->d1->timeout_duration *= 1.10;
if (s->d1->timeout_duration > 60)
s->d1->timeout_duration = 60;
dtls1_start_timer(s);
diff -Naur openssl-1.0.2g/ssl/d1_pkt.c openssl/ssl/d1_pkt.c
--- openssl-1.0.2g/ssl/d1_pkt.c 2016-03-01 14:35:53.000000000 +0100
+++ openssl/ssl/d1_pkt.c 2016-03-08 14:39:44.000000000 +0100
@@ -1502,7 +1502,7 @@
* will happen with non blocking IO
*/
if (s->s3->wbuf.left != 0) {
- OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
+ /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever get here */
return (ssl3_write_pending(s, type, buf, len));
}
diff -Naur openssl-1.0.2g/ssl/dtls1.h openssl/ssl/dtls1.h
--- openssl-1.0.2g/ssl/dtls1.h 2016-03-01 14:35:53.000000000 +0100
+++ openssl/ssl/dtls1.h 2016-03-08 14:39:44.000000000 +0100
@@ -225,8 +225,8 @@
* Indicates when the last handshake msg or heartbeat sent will timeout
*/
struct timeval next_timeout;
- /* Timeout duration */
- unsigned short timeout_duration;
+ /* Timeout duration in Seconds */
+ double timeout_duration;
/*
* storage for Alert/Handshake protocol data received but not yet
* processed by ssl3_read_bytes:
More information about the openssl-dev
mailing list