[openssl-users] DTLS and packet loss

Matt Caswell matt at openssl.org
Mon Jun 1 14:29:48 UTC 2015

On 01/06/15 12:52, Alfred E. Heggestad wrote:
> Hey Matt,
> openssl version 1.0.2a on both sides (Client and Server)
>> Are you also running OpenSSL on the server side (and if so which version
>> there)?
>> The error message suggests that the NewSessionTicket message that has
>> been received by the client is incorrectly formatted.
>> A packet capture for a problem handshake might help diagnose the problem
>> further.
> please see the attached PCAP file, in this case Packet #4 is dropped
> internally
> in the software (to simulate Packet-loss).
> that test-code has the following option set, to avoid fragmentation:
>     SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU);
>     DTLS_set_link_mtu(tc->ssl, 1480);
> please note that dropping Packet #1, #2 and #3 works as expected.
> but dropping the final packet (packet #4) does not work.

Thanks - I've figured it out. This is a manifestation of a known issue
with retransmits in 1.0.2a. It will be fixed in 1.0.2b. I have attached
a patch for 1.0.2a which should solve your problems for now.

The relevant 1.0.2 commits that fix this are here:

and here:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dtls-1.0.2a-retransmits.patch
Type: text/x-patch
Size: 3593 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150601/cab00d80/attachment-0001.bin>

More information about the openssl-users mailing list