[openssl-users] DTLS and packet loss

Alfred E. Heggestad aeh at db.org
Mon Jun 1 11:52:47 UTC 2015

On 01/06/15 11:39, Matt Caswell wrote:
> On 01/06/15 10:08, Alfred E. Heggestad wrote:
>> Hi,
>> we are using OpenSSL to deploy DTLS-SRTP, Ref:
>> http://www.creytiv.com/doxygen/re-dox/html/tls__udp_8c.html
>> it works really well, thanks for the good code.
>> one scenario that does not work so well, is when DTLS
>> is running in an environment with packet loss.
>> for example, we get this error message:
>> 140735307322128:error:1411B09F:SSL
>> routines:ssl3_get_new_session_ticket:length mismatch:s3_clnt.c:2183:
>> any hints of where I should start looking ?
> Can you confirm which version of OpenSSL you are running?

Hey Matt,

openssl version 1.0.2a on both sides (Client and Server)

> Are you also running OpenSSL on the server side (and if so which version
> there)?
> The error message suggests that the NewSessionTicket message that has
> been received by the client is incorrectly formatted.
> A packet capture for a problem handshake might help diagnose the problem
> further.

please see the attached PCAP file, in this case Packet #4 is dropped internally
in the software (to simulate Packet-loss).

that test-code has the following option set, to avoid fragmentation:

	SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU);
	DTLS_set_link_mtu(tc->ssl, 1480);

please note that dropping Packet #1, #2 and #3 works as expected.
but dropping the final packet (packet #4) does not work.


> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl_dtls_packet4_lost.pcap
Type: application/octet-stream
Size: 4636 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150601/39dcf8b7/attachment.obj>

More information about the openssl-users mailing list