[openssl-dev] Calculating DTLS payload MTU
David Woodhouse
dwmw2 at infradead.org
Wed Oct 5 21:28:53 UTC 2016
On Wed, 2016-10-05 at 21:31 +0100, Matt Caswell wrote:
>
>
> On 05/10/16 15:37, David Woodhouse wrote:
> > DTLS_set_link_mtu(vpninfo->dtls_ssl, mtu);
> >
> > /* We already set the link MTU, but hopefully by the time we
> > * finish it, this function will be better at working out the
> > * actual tunnel MTU than OpenSSL is. So do that too... */
> > SSL_set_mtu(vpninfo->dtls_ssl, tun_mtu);
>
> This is pointless. The link mtu setting will take precedence.
Hm, thanks. It's also wrong. There are *three* MTU values, and I had
conflated them.
Firstly there is the the link MTU (d1->link_mtu, e.g. 1500).
Secondly there is the DTLS record MTU without the IP/UDP overhead
(d1->mtu, e.g. 1472).
Finally there's the one I need to find, the data payload MTU
(with AES128-GCM e.g. 1434).
The code you saw was using DTLS_set_link_mtu(1472) where it should be
using SSL_set_mtu(1472).
I shouldn't be calling DTLS_set_link_mtu() at all.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161005/fd22cb50/attachment.bin>
More information about the openssl-dev
mailing list