[openssl-users] DTLS for SCTP connections

mahesh gs mahesh116 at gmail.com
Fri Feb 24 09:31:36 UTC 2017 

Hi,

I did some more search regarding this problem and found that its a defect
in kernel SCTP. OS was built with linux kernel version 2.6 which is quite
old.

Defect Link : https://sourceforge.net/p/lksctp/mailman/message/27729264/

I upgraded to RHEL 7.1 and the problem resolved.

Thanks for your support.

On Thu, Feb 23, 2017 at 10:43 AM, mahesh gs <mahesh116 at gmail.com> wrote:

> Hi Michael,
>
> I am using "Red Hat Enterprise Linux Server release 6.4 (Santiago)" and
> openssl version is 1.1.0.
>
> SCTP version :
>
> [root at localhost DIAMETER]# rpm -qa | grep -i "sctp"
> *lksctp-tools-1.0.10-5.el6.x86_64*
> [root at localhost DIAMETER]# rpm -qi lksctp-tools-1.0.10-5.el6.x86_64
> Name        : lksctp-tools                 Relocations: (not relocatable)
> Version     : 1.0.10                            Vendor: Red Hat, Inc.
> Release     : 5.el6                         *Build Date: Mon 22 Feb 2010
> 12:24:33 PM CET*
> Install Date: Wed 08 Feb 2017 10:08:12 AM CET      Build Host:
> hs20-bc1-2.build.redhat.com
> Group       : System Environment/Libraries   Source RPM:
> lksctp-tools-1.0.10-5.el6.src.rpm
> Size        : 203688                           License: GPLv2 and GPLv2+
> and LGPLv2 and BSD
> Signature   : RSA/8, Mon 16 Aug 2010 08:17:01 PM CEST, Key ID
> 199e2f91fd431d51
> Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> URL         : http://lksctp.sourceforge.net
> Summary     : User-space access to Linux Kernel SCTP
> Description :
> This is the lksctp-tools package for Linux Kernel SCTP (Stream Control
> Transmission Protocol) Reference Implementation.
>
>
>
> Thanks,
> Mahesh G S
>
> On Wed, Feb 22, 2017 at 8:33 PM, Michael Tuexen <Michael.Tuexen at lurchi.
> franken.de> wrote:
>
>> > On 22 Feb 2017, at 07:47, mahesh gs <mahesh116 at gmail.com> wrote:
>> >
>> > Hi,
>> >
>> > Thank you for sharing the sample code.
>> >
>> > I tried running SCTP DTLS Echo server and client. I am facing strange
>> problem "ssl_connect" hangs on the client side, even the "ssl_accept" hangs
>> on the server side.
>> >
>> > Client side back trace
>> >
>> > (gdb) bt
>> > #0  0x0000003db4c0ea10 in __recvmsg_nocancel () from
>> /lib64/libpthread.so.0
>> > #1  0x00007ffff7a64dc5 in dgram_sctp_read (b=0x6223f0, out=0x629073
>> "\026\376\377", outl=17741) at bss_dgram.c:1178
>> > #2  0x00007ffff7a597a9 in BIO_read (b=0x6223f0, out=0x629073,
>> outl=17741) at bio_lib.c:210
>> > #3  0x00007ffff7db80e4 in ssl3_read_n (s=0x622c70, n=13, max=17741,
>> extend=<value optimized out>) at s3_pkt.c:258
>> > #4  0x00007ffff7dcaf75 in dtls1_get_record (s=0x622c70) at d1_pkt.c:676
>> > #5  0x00007ffff7dcb6b8 in dtls1_read_bytes (s=0x622c70, type=22,
>> buf=0x7ffffffedfd0 "\006", len=12, peek=0) at d1_pkt.c:938
>> > #6  0x00007ffff7dcdda5 in dtls1_get_message_fragment (s=0x622c70,
>> st1=<value optimized out>, stn=4449, max=30, ok=0x7ffffffee09c)
>> >     at d1_both.c:908
>> > #7  0x00007ffff7dce414 in dtls1_get_message (s=0x622c70, st1=4448,
>> stn=4449, mt=14, max=30, ok=0x7ffffffee09c) at d1_both.c:512
>> > #8  0x00007ffff7dacaf9 in ssl3_get_server_done (s=0x622c70) at
>> s3_clnt.c:2458
>> > #9  0x00007ffff7dc8467 in dtls1_connect (s=0x622c70) at d1_clnt.c:466
>> > #10 0x0000000000402f75 in start_client(char*, char*, int, int, int) ()
>> > #11 0x0000000000403573 in main ()
>> >
>> >
>> > Server side back trace
>> >
>> > (gdb) info threads
>> >   2 Thread 0x7ffff793c700 (LWP 20161)  0x0000003db4c0ea2d in recvmsg ()
>> from /lib64/libpthread.so.0
>> > * 1 Thread 0x7ffff793e720 (LWP 20155)  0x0000003db4c0e84d in accept ()
>> from /lib64/libpthread.so.0
>> > (gdb) t 2
>> > [Switching to thread 2 (Thread 0x7ffff793c700 (LWP 20161))]#0
>> 0x0000003db4c0ea2d in recvmsg () from /lib64/libpthread.so.0
>> > (gdb) bt
>> > #0  0x0000003db4c0ea2d in recvmsg () from /lib64/libpthread.so.0
>> > #1  0x00007ffff7a633a6 in BIO_dgram_sctp_wait_for_dry
>> (b=0x7ffff0001930) at bss_dgram.c:1803
>> > #2  0x00007ffff7dc7830 in dtls1_accept (s=0x7ffff00008c0) at
>> d1_srvr.c:403
>> > #3  0x00000000004021ee in connection_handle(void*) ()
>> > #4  0x0000003db4c07851 in start_thread () from /lib64/libpthread.so.0
>> > #5  0x0000003db48e890d in clone () from /lib64/libc.so.6
>> > (gdb)
>> >
>> >
>> > I am also attaching the wireshark trace (port 4443) and a server key
>> for decoding wireshark.
>> >
>> > Command used on server side: ./dtls_sctp_echo -L 16.181.38.161 -p 4443
>> >
>> > Command used on client side : ./dtls_sctp_echo -L 16.181.38.161 -p 4443
>> -l 50 -n 5 16.181.38.161
>> >
>> > Thanks in advance for your valuable input
>> I've CCed Irene, who did some testing recently on FreeBSD, where the
>> implementation works.
>> The server is waiting for a sender dry event which it should get.
>>
>> Which version of OpenSSL are you using and which OS are you using?
>>
>> Best regards
>> Michael
>> >
>> > Regards,
>> > Mahesh G S
>> >
>> >
>> >
>> > On Tue, Feb 21, 2017 at 2:28 PM, Michael Tuexen <
>> Michael.Tuexen at lurchi.franken.de> wrote:
>> > > On 21 Feb 2017, at 09:53, mahesh gs <mahesh116 at gmail.com> wrote:
>> > >
>> > > Hi,
>> > >
>> > > We have a client, server applications that is using SCTP as a
>> transport protocol. We have to secure the connections using DTLS. I am
>> using openssl version 1.0.2 which supports DTLS. But the problem i am
>> facing is usage of DTLS SCTP related API's. Openssl documentation does not
>> clearly explain all the SCTP related API's and usage sequence.
>> > >
>> > > I have tried going though internet and found most of the sites
>> redirect to one link for SCTP DTLS sample code. But this link is not
>> working.
>> > >
>> > > http://sctp.fh-muenster.de/dtls-samples.html
>> > Try
>> > http://web.archive.org/web/20150617012520/http://sctp.fh-mue
>> nster.de/dtls-samples.html
>> > and yes, we need to bring the machine up again.
>> >
>> > Best regards
>> > Michael
>> > >
>> > > If any of you has an sample code of DTLS adaptation for SCTP. It
>> would immensely help me for my work.
>> > >
>> > > Looking forward to your valuable inputs.
>> > >
>> > > Thanks,
>> > > Mahesh G S
>> > > --
>> > > openssl-users mailing list
>> > > To unsubscribe: https://mta.openssl.org/mailma
>> n/listinfo/openssl-users
>> >
>> > --
>> > openssl-users mailing list
>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> >
>> > <log.pcap><server.key.pem>--
>> > openssl-users mailing list
>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170224/1b4e21ff/attachment.html>

More information about the openssl-users mailing list