[openssl-users] Query regarding DTLS handshake

mahesh gs mahesh116 at gmail.com
Thu Apr 20 11:26:01 UTC 2017

Hi Matt,

Yes I raised github case for the same issue. I also tried running this call
flow with the latest SNAPSHOT code (openssl-SNAP-20170419) and handshake is
successful with the latest SNAPSHOT code which is not an official release.

I checked the github repo history and observer that during commits on (11
th Jan) as a part of "Move state machine knowledge out of the record
layer".  "renegotiate" bit that is set to "2" in function
"tls_post_process_client_hello" has been removed. May be that is causing
the call flow to be successful in the latest SNAPSHOT release.

I am assuming commits that are done on 11th Jan or later are not part of
release openssl 01.01.00e

Mahesh G S

On Wed, Apr 19, 2017 at 6:56 PM, Matt Caswell <matt at openssl.org> wrote:

> For those following this discussion Mahesh has created a github issue
> with much more detail (at least I am assuming this is the same issue):
> https://github.com/openssl/openssl/issues/3251
> Matt
> On 18/04/17 21:17, Michael Tuexen wrote:
> >> On 13. Apr 2017, at 11:11, mahesh gs <mahesh116 at gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> We are running SCTP connections with DTLS enabled in our application.
> We have adapted openssl version (openssl-1.1.0e) to achieve the same.
> >>
> >> We have generated the self signed root and node certificates for
> testing. We have a strange problem with the incomplete DTLS handshake if we
> run the DTLS client and DTLS server is different systems.If we run the DTLS
> client and server in same system handshake is successful, handshake is not
> successful if run client and server in different VM's.
> >>
> >> This strange problem happens only for SCTP/DTLS connection. With the
> same set of certificates TCP/TLS connection is successful and we are able
> to exchange the application data.
> >>
> >> I am attaching the code bits for SSL_accept and SSL_connect and also
> the wireshark trace of unsuccessful handshake. Please assist me to debug
> this problem.
> >>
> >> SSL_accept returns  SSL_ERROR_WANT_READ(2) infinite times but
> SSL_connect is called 4 or 5 times and select system call timeout.
> > Which OS are you using? With a test program I could reproduce
> SSL_accept() returning SSL_ERROR_WANT_READ under FreeBSD,
> > but not under Linux. Haven't figured out what the problem is. So if you
> are using FreeBSD we might experience the same problem...
> >
> > Best regards
> > Michael
> >>
> >> Thanks,
> >> Mahesh G S
> >>
> >>
> >> <testcode.txt><proxy.cap>--
> >> openssl-users mailing list
> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170420/74f729bd/attachment.html>

More information about the openssl-users mailing list