[openssl-users] Query regarding DTLS handshake

Michael Tuexen Michael.Tuexen at lurchi.franken.de
Tue May 2 06:21:05 UTC 2017 

> On 2. May 2017, at 08:03, mahesh gs <mahesh116 at gmail.com> wrote:
> 
> 
> 
> On Sun, Apr 30, 2017 at 11:11 PM, Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
> > On 20. Apr 2017, at 20:01, mahesh gs <mahesh116 at gmail.com> wrote:
> >
> > Hi,
> >
> > This issue occur purely based on the time (sequence of events) at which SSL read_state_machine enter the post processing of certificate verify which is received from client.
> >
> > Handshake works fine if the certificate verify post processing is done before the next message arrives at SCTP socket layer (In your case may be there is a delay in receiving the next message at SCTP layer). Handshake works fine even in my environment some times.
> Can you try the attached patch and report if it fixes the issue for you?
> 
>     I have tried with the patch provided by Matt. Our test results are successful. Issue is fixed with the patch.
OK, I see. It isn't fixed in our case. That is why I sent the patch.
Thanks for the feedback.

Best regards
Michael
> 
> Best regards
> Michael
> 
> 
> 
> >
> >
> > I added some debug statements, below is the debug statements.
> >
> >
> > Debug statements when the handshake does not work
> >
> > <image.png>
> >
> > Length of the next packet (Cipher spec change) is exactly 14 as i mentioned  in - https://github.com/openssl/openssl/issues/3251
> >
> > Debug logs when the handshake is successful
> >
> > <image.png>
> >
> > If no message is waiting to be received at socket layer then handshake is successful. If message is waiting to be received at socket layer then the handshake will never be completed.
> >
> >
> > Thanks,
> > Mahesh G S
> >
> > On Thu, Apr 20, 2017 at 7:17 PM, Martin Brejcha <martin.brejcha at mavenir.com> wrote:
> >
> >
> > Matt Caswell wrote on 04/20/2017 03:23 PM:
> > >
> > >
> > > On 20/04/17 14:19, Martin Brejcha wrote:
> > >>
> > >>
> > >> Matt Caswell wrote on 04/20/2017 01:29 PM:
> > >>>
> > >>>
> > >>> On 20/04/17 12:26, mahesh gs wrote:
> > >>>> Hi Matt,
> > >>>>
> > >>>> Yes I raised github case for the same issue. I also tried running this
> > >>>> call flow with the latest SNAPSHOT code (openssl-SNAP-20170419) and
> > >>>> handshake is successful with the latest SNAPSHOT code which is not an
> > >>>> official release.
> > >>>>
> > >>>> I checked the github repo history and observer that during commits on
> > >>>> (11 th Jan) as a part of "Move state machine knowledge out of the record
> > >>>> layer".  "renegotiate" bit that is set to "2" in function
> > >>>> "tls_post_process_client_hello" has been removed. May be that is causing
> > >>>> the call flow to be successful in the latest SNAPSHOT release.
> > >>>>
> > >>>> I am assuming commits that are done on 11th Jan or later are not part of
> > >>>> release openssl 01.01.00e
> > >>>
> > >>> Ah. No. That commit is in the dev branch only (scheduled for version
> > >>> 1.1.1) and won't be backported to the 1.1.0 branch. I can see why that
> > >>> commit might help things, but probably a different solution is more
> > >>> appropriate for 1.1.0.
> > >>>
> > >>> I'm looking at this issue at the moment.
> > >>>
> > >>> Matt
> > >>>
> > >>
> > >> hi,
> > >>
> > >> btw: I've tested similar scenario and handshake works fine.
> > >> test env: client and server on different VMs (rhel7.2, openssl 1.1.0e, non-blocking sockets and segmented certificate)
> > >> So, it should work also with 1.1.0e version.
> > >
> > > Thanks. Did your handshake include client auth? I think this issue only
> > > arises in that case.
> > >
> > > Matt
> > >
> > >
> >
> > yes, client auth with segmented certificate has been included.
> >
> > Martin
> >
> >
> >
> > >
> > >
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list