[openssl-users] DTLS Handshake fails with DTLSv1_listen

Vijayakumar Kaliaperumal vkaliape at gmail.com
Thu Feb 23 18:02:16 UTC 2017


While writing  a DTLS server using  DTLSv1_listen(),   I found  that  when
I receive a fragmented clienthello from the client,  DTLS handshake fails.
DTLSv1_listen stuck in the while loop (in the app).
When I checked the man page of DTLSv1_listen(),  it clearly says that API
does not handle a fragmented clienthello.  as it operates entirely
statelessly ( Safeguard against  DOS attacks ? )

However DTLS RFC clearly states that implementation must handle fragmented
handshake messages

RFC 4347 Datagram Transport Layer Security:
“When a DTLS implementation receives a handshake message fragment, it MUST
buffer it until it has the entire handshake message.”

Avoiding the fragmented clienthello is the only way out for this problem ?
or any other alternatives exist ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170223/e8c48310/attachment.html>

More information about the openssl-users mailing list