[openssl-users] DTLS fragmentation and mem BIO

Matt Caswell matt at openssl.org
Fri Jun 5 10:30:30 UTC 2015

On 05/06/15 10:20, Lorenzo Miniero wrote:
> Just one quick question about this: are messages/packets passed to the
> BIO actually splitted, and then just queued by the mem BIO in the
> buffer, or can there be cases where a larger than normal buffer is
> passed to the BIO anyway, meaning a manual splitting could be needed
> nevertheless from time to time?

No, there should be no need for the BIO to do any splitting. Everything
that gets written to the BIO should be a datagram.

One issue that does spring to mind is that in your filter BIO you may
want to implement some of the dgram ctrls that DTLS uses. This depends
on how you want to manage setting your MTU.

Do you set an MTU size explicitly using SSL_set_mtu(ssl, mtu) or
DTLS_set_link_mtu(ssl, mtu)? Also, do you set the option
SSL_OP_NO_QUERY_MTU? If you use the option then you should set an MTU
size explicitly.

If you don't set the SSL_OP_NO_QUERY_MTU option then the DTLS code will
attempt to query the underlying BIO for information about the mtu size.
That would mean you would have to implement the following additional ctrls:
BIO_CTRL_DGRAM_GET_FALLBACK_MTU - returns a "default" MTU size if
querying fails for some reason
BIO_CTRL_DGRAM_QUERY_MTU - queries the transport for the MTU size to be used
BIO_CTRL_DGRAM_SET_MTU - sets the MTU size on the underlying transport
BIO_CTRL_DGRAM_MTU_EXCEEDED - returns true if the datagram we just tried
to send failed because we exceeded the max MTU size


More information about the openssl-users mailing list