[openssl-dev] DTLS retransmission api
Alfred E. Heggestad
aeh at db.org
Thu Jun 2 13:33:53 UTC 2016
On 01/06/16 13:58, Matt Caswell wrote:
>
>
> On 01/06/16 11:15, Alfred E. Heggestad wrote:
>> hi,
>>
>> we are using DTLS from OpenSSL to implement DTLS-SRTP in our
>> product (Wire.com) .. The code and implementation works really well
>> and is very robust. We are using OpenSSL version 1.0.2g
>>
>>
>> since our product is deployed globally on mobile data networks,
>> we have quite variable latency and packetloss. The patch below
>> shows my working code, it has an initial retransmit timeout
>> of 400 ms which is incrementing by 10% for every re-trans.
>>
>>
>> obviously this patch cannot make it into the official tree.
>>
>>
>> but I would like to discuss with you guys the option to
>> add some kind of API for:
>>
>> - Setting the initial RTO for DTLS (in milliseconds).
>> - Setting the retransmit policy for DTLS, i.e. should it
>> double or increment by X for every re-trans.
>
> I think an API for that would be a great idea. Perhaps a callback could
> be used so that you can set exactly the policy you want?
>
Thank you, Matt
I can work on a patch for this, if you guys can help me to define
the API.
I think we only need one CTRL api to set the next re-transmit
interval. then in the application code that calls this:
- DTLSv1_handle_timeout
- DTLSv1_get_timeout
can also call DTLS_set_retrans_interval(400)
>>
>>
>> in addition we have seen the code hit this assert
>> in production:
>>
>>
>> /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever get here */
>>
>>
>> so I would say it should be safe to remove it.
>
> Hmmmmm....the question is why does it get there? It shouldn't.
>
I can try to reproduce this. We have seen that this assert was
executed, when the code was under quite heavy load and lots of traffic.
/alfred
>
> Matt
>
>
>>
>>
>>
>>
>> Best Regards,
>>
>> Alfred E. Heggestad
>> Berlin
>>
>>
>>
>> --
>>
>> diff -Naur openssl-1.0.2g/ssl/d1_lib.c openssl/ssl/d1_lib.c
>> --- openssl-1.0.2g/ssl/d1_lib.c 2016-03-01 14:35:53.000000000 +0100
>> +++ openssl/ssl/d1_lib.c 2016-06-01 10:45:27.000000000 +0200
>> @@ -359,6 +359,8 @@
>>
>> void dtls1_start_timer(SSL *s)
>> {
>> + struct timeval diff;
>> +
>> #ifndef OPENSSL_NO_SCTP
>> /* Disable timer for SCTP */
>> if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
>> @@ -369,14 +371,17 @@
>>
>> /* If timer is not set, initialize duration with 1 second */
>> if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec
>> == 0) {
>> - s->d1->timeout_duration = 1;
>> + s->d1->timeout_duration = 0.400;
>> }
>>
>> /* Set timeout to current time */
>> get_current_time(&(s->d1->next_timeout));
>>
>> /* Add duration to current time */
>> - s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
>> + diff.tv_sec = 0;
>> + diff.tv_usec = 1000000*s->d1->timeout_duration;
>> + timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout);
>> +
>> BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
>> &(s->d1->next_timeout));
>> }
>> @@ -441,7 +446,7 @@
>>
>> void dtls1_double_timeout(SSL *s)
>> {
>> - s->d1->timeout_duration *= 2;
>> + s->d1->timeout_duration *= 1.10;
>> if (s->d1->timeout_duration > 60)
>> s->d1->timeout_duration = 60;
>> dtls1_start_timer(s);
>> diff -Naur openssl-1.0.2g/ssl/d1_pkt.c openssl/ssl/d1_pkt.c
>> --- openssl-1.0.2g/ssl/d1_pkt.c 2016-03-01 14:35:53.000000000 +0100
>> +++ openssl/ssl/d1_pkt.c 2016-03-08 14:39:44.000000000 +0100
>> @@ -1502,7 +1502,7 @@
>> * will happen with non blocking IO
>> */
>> if (s->s3->wbuf.left != 0) {
>> - OPENSSL_assert(0); /* XDTLS: want to see if we ever get
>> here */
>> + /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever
>> get here */
>> return (ssl3_write_pending(s, type, buf, len));
>> }
>>
>> diff -Naur openssl-1.0.2g/ssl/dtls1.h openssl/ssl/dtls1.h
>> --- openssl-1.0.2g/ssl/dtls1.h 2016-03-01 14:35:53.000000000 +0100
>> +++ openssl/ssl/dtls1.h 2016-03-08 14:39:44.000000000 +0100
>> @@ -225,8 +225,8 @@
>> * Indicates when the last handshake msg or heartbeat sent will
>> timeout
>> */
>> struct timeval next_timeout;
>> - /* Timeout duration */
>> - unsigned short timeout_duration;
>> + /* Timeout duration in Seconds */
>> + double timeout_duration;
>> /*
>> * storage for Alert/Handshake protocol data received but not yet
>> * processed by ssl3_read_bytes:
>>
>>
More information about the openssl-dev
mailing list