[openssl-users] DTLS and packet loss
Alfred E. Heggestad
aeh at db.org
Mon Jun 1 11:52:47 UTC 2015
On 01/06/15 11:39, Matt Caswell wrote:
>
>
> On 01/06/15 10:08, Alfred E. Heggestad wrote:
>> Hi,
>>
>> we are using OpenSSL to deploy DTLS-SRTP, Ref:
>>
>> http://www.creytiv.com/doxygen/re-dox/html/tls__udp_8c.html
>>
>>
>> it works really well, thanks for the good code.
>> one scenario that does not work so well, is when DTLS
>> is running in an environment with packet loss.
>> for example, we get this error message:
>>
>> 140735307322128:error:1411B09F:SSL
>> routines:ssl3_get_new_session_ticket:length mismatch:s3_clnt.c:2183:
>>
>>
>> any hints of where I should start looking ?
>
> Can you confirm which version of OpenSSL you are running?
>
Hey Matt,
openssl version 1.0.2a on both sides (Client and Server)
> Are you also running OpenSSL on the server side (and if so which version
> there)?
>
> The error message suggests that the NewSessionTicket message that has
> been received by the client is incorrectly formatted.
>
> A packet capture for a problem handshake might help diagnose the problem
> further.
>
please see the attached PCAP file, in this case Packet #4 is dropped internally
in the software (to simulate Packet-loss).
that test-code has the following option set, to avoid fragmentation:
SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU);
DTLS_set_link_mtu(tc->ssl, 1480);
please note that dropping Packet #1, #2 and #3 works as expected.
but dropping the final packet (packet #4) does not work.
/alfred
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl_dtls_packet4_lost.pcap
Type: application/octet-stream
Size: 4636 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150601/39dcf8b7/attachment.obj>
More information about the openssl-users
mailing list