[openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?

Richard Weinberger richard at nod.at
Wed Aug 15 20:09:11 UTC 2018 

Philip,

Am Mittwoch, 15. August 2018, 21:36:30 CEST schrieben Sie:
> 
> > On Aug 11, 2018, at 9:22 AM, Richard Weinberger <richard at nod.at> wrote:
> > 
> > Hi!
> > 
> > I have a hard time figuring how to write a DTLS UDP server that supports multiple
> > clients. My dummy single user server works fine.
> > 
> > To support multiple clients I tried two approaches:
> > 1. singled threaded async IO, preferred since I have to deal with many clients
> > 2. multi threaded, one thread per client
> > 
> > Both approaches seem to be doomed for the very same reason, namely that
> > DTLSv1_listen() does peek into the kernel queue and does not consume
> > the client hello from the UDP socket.
> > 
> > Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
> > socket for the client is created using bind/connect and the client address
> > as returned by DTLSv1_listen().
> > 
> > This client socket is then passed to a new thread or feed into the event loop.
> > In both cases the client hello is still in the queue of the server socket
> > and the program will over and over create new client sockets.
> > 
> > After searching the web for examples I've found this thread[0], where the approaches
> > I tried are advertised.
> > In [1] the demo server at [3] is suggested as good example.
> > 
> > dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
> > the same way.
> > As soon one client connects, it creates over and over new sockets until it dies due
> > to too many open files.
> > 
> > After digging a bit into the source it looks to me like since commit [3],
> > DTLSv1_listen() assumes that you re-use the same socket for the new client.
> > Which makes supporting multiple clients impossible.
> > 
> > Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
> > Can you please help me to figure what the correct approach for multiple clients is?
> > 
> > Thanks,
> > //richard
> 
> 
> Have you tried using Libevent?  It supports SSL/TLS/DTLS connections.

Can you please explain? I fear I miss something.

Libevent seems to be able to deal with OpenSSL BIO objects.
But how is it supposed to help me with the DTLSv1_listen() issue?

A quick grep on the Libevent sources does not show calls to DTLSv1_listen()
and I don't think that it is open coding it. At least I hope so.

The problem I see is not about event processing, it is about OpenSSL 1.1.x's
re-write of DTLSv1_listen().

Thanks,
//richard

More information about the openssl-users mailing list