[openssl-users] [PATCH] dtls: reduce initial timeout value to 500ms

Fri May 6 13:41:34 UTC 2016

Hi,


we are using OpenSSL in our product, mainly the DTLS-SRTP part to
exchange keys for SRTP using DTLS. Our network environment is rather
hostile, with highly variable bandwidth, some packet loss and some
connections with slightly high RTT.


the current DTLS stack in OpenSSL (v1.0.2) starts with a timeout
value of 1 second, which is doubled for every retransmit. For us this
is too high. I would like to reduce the initial value to around 500ms,
and preferably make it run-time configurable.



the patch below is a working patch, attached for the purpose of
discussion.




 From 70a72c5102bab63373169615d3b26ded8399f227 Mon Sep 17 00:00:00 2001
From: "Alfred E. Heggestad" <alfred.heggestad at wire.com>
Date: Fri, 6 May 2016 15:31:20 +0200
Subject: [PATCH] dtls: reduce initial timeout from 1.0 to 0.5 seconds

---
  ssl/d1_lib.c | 9 +++++++--
  ssl/d1_pkt.c | 2 +-
  ssl/dtls1.h  | 4 ++--
  3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index ee78921..027d893 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -359,6 +359,8 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u)

  void dtls1_start_timer(SSL *s)
  {
+    struct timeval diff;
+
  #ifndef OPENSSL_NO_SCTP
      /* Disable timer for SCTP */
      if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
@@ -369,14 +371,17 @@ void dtls1_start_timer(SSL *s)

      /* If timer is not set, initialize duration with 1 second */
      if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
-        s->d1->timeout_duration = 1;
+        s->d1->timeout_duration = 0.5;
      }

      /* Set timeout to current time */
      get_current_time(&(s->d1->next_timeout));

      /* Add duration to current time */
-    s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
+    diff.tv_sec  = 0;
+    diff.tv_usec = 1000000*s->d1->timeout_duration;
+    timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout);
+
      BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
               &(s->d1->next_timeout));
  }
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index fe30ec7..3330fd6 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1502,7 +1502,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
       * will happen with non blocking IO
       */
      if (s->s3->wbuf.left != 0) {
-        OPENSSL_assert(0);      /* XDTLS: want to see if we ever get here */
+        /*OPENSSL_assert(0);*/      /* XDTLS: want to see if we ever get here */
          return (ssl3_write_pending(s, type, buf, len));
      }

diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 30bbcf2..077fee5 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -225,8 +225,8 @@ typedef struct dtls1_state_st {
       * Indicates when the last handshake msg or heartbeat sent will timeout
       */
      struct timeval next_timeout;
-    /* Timeout duration */
-    unsigned short timeout_duration;
+    /* Timeout duration in Seconds */
+    double timeout_duration;
      /*
       * storage for Alert/Handshake protocol data received but not yet
       * processed by ssl3_read_bytes:
-- 
1.9.3 (Apple Git-50)

