[openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?

Richard Weinberger richard at nod.at
Sat Aug 11 15:22:48 UTC 2018


I have a hard time figuring how to write a DTLS UDP server that supports multiple
clients. My dummy single user server works fine.

To support multiple clients I tried two approaches:
1. singled threaded async IO, preferred since I have to deal with many clients
2. multi threaded, one thread per client

Both approaches seem to be doomed for the very same reason, namely that
DTLSv1_listen() does peek into the kernel queue and does not consume
the client hello from the UDP socket.

Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
socket for the client is created using bind/connect and the client address
as returned by DTLSv1_listen().

This client socket is then passed to a new thread or feed into the event loop.
In both cases the client hello is still in the queue of the server socket
and the program will over and over create new client sockets.

After searching the web for examples I've found this thread[0], where the approaches
I tried are advertised.
In [1] the demo server at [3] is suggested as good example.

dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
the same way.
As soon one client connects, it creates over and over new sockets until it dies due
to too many open files.

After digging a bit into the source it looks to me like since commit [3],
DTLSv1_listen() assumes that you re-use the same socket for the new client.
Which makes supporting multiple clients impossible.

Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
Can you please help me to figure what the correct approach for multiple clients is?


P.s: I'm on Linux, OpenSSL 1.1.0h, but tried as OpenSSL git as of today.

[0] https://mta.openssl.org/pipermail/openssl-users/2018-April/007861.html
[1] https://mta.openssl.org/pipermail/openssl-users/2018-April/007864.html
[2] https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
[3] https://github.com/openssl/openssl/commit/e3d0dae7cf8363ca462ac425b72c7bb31c3b4b7a

More information about the openssl-users mailing list