[openssl-users] Fwd: DTLS over UDP
Nivedita
maddi.nivedita at gmail.com
Wed Feb 14 06:18:27 UTC 2018
Hi Michael,
Please ignore the previous mail. By mistankely it got sent.
I have provided my comments below.
Thanks in advance.
Regards,
Nivedita
On Wed, Feb 14, 2018 at 10:22 AM, Nivedita <maddi.nivedita at gmail.com> wrote:
> Hi Michael,
>
> Thanks for the reply.
>
> I have mentioned the answers below.
>
>
> On Wed, Feb 14, 2018 at 12:21 AM, Michael Richardson <mcr at sandelman.ca>
> wrote:
>
>> From: Michael Richardson <mcr at sandelman.ca>
>> To: openssl-users at openssl.org
>> Subject: Re: [openssl-users] DTLS over UDP
>> In-Reply-To: <CACS8YK320Z=E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ at mail.gm
>> ail.com>
>> References: <CACS8YK320Z=E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ at mail.gm
>> ail.com>
>> X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
>> X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS at k9X%29-lHB$Ti.V>2bi.~ehC0
>> ;<'$9xN5Ub#
>> z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
>> MIME-Version: 1.0
>> Content-Type: multipart/signed; boundary="=-=-=";
>> micalg=pgp-sha256; protocol="application/pgp-signature"
>> Date: Tue, 13 Feb 2018 13:51:10 -0500
>> Message-ID: <10616.1518547870 at obiwan.sandelman.ca>
>>
>> --=-=-=
>> Content-Type: text/plain
>>
>>
>> Nivedita <maddi.nivedita at gmail.com> wrote:
>> > I am trying to establish DTLS over UDP connection by using
>> > DTLSv1_listen method .
>>
>> > I have followed the below steps - 1. Created a server socket and
>> using
>> > this socket created bio and ssl object. bio =
>> > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);
>>
>> > 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,
>> > SSL_OP_COOKIE_EXCHANGE);
>>
>> > 3. Then started listening using dtlsv1_listen for the new client
>> > connections. Once dtlsv1_listen is successful and i got the peer
>> > address.
>>
>> okay.
>>
> Nivedita- Here the ssl object is created on the server socket and
same ssl is passed to dtlsv1_listen method.
>
> Nivedita- All the above mentioned steps i am doing on server side . On
> the client side i have already initiated ssl_connect.
> On the server side when i am listening using
> dtlsv1_listen method -
>
> while ( VI_res= DTLSv1_listen(VP_ssl, &VS_client_addr)
> <= 0);
>
Now i got the client_addr from dtlsv1_listen method.
>
>
>> > 4. Once i got the client address , i am creating one new socket
>> > 5. With the new socket i tried to connect to client address.
>>
>> Do you mean, you call "SSL_connect()"?
>> Or do you mean you bind(2) and connect(2) the socket.
>>
>
Nivedita- Once i got the client address from dtlsv1_listen, i am
creating one more socket , tried to connect the client address, which i
have got in dtlsv1_listen method
Vi_res= connect(new sockid, client_addr, sizeof (client
addr));
>
>> > 6. Then i am trying to do ssl_accept on the new socket by calling
>> > bio_set_fd.
>>
>> > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);
>>
>> > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
>> > &client_addr);
>>
>> > SSL_set_fd(ssl,VI_newsock_id);
>>
>> So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
>> of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of
>> the existing BIO, I think you can omit that line.
>>
>> Nivedita - I have removed SSL_set _fd and tried by doing
BIO_set_fd and Bio_ctrl, but still ssl_accept always returns -1 and with
error code of 2.
VI_res = BIO_set_fd(SSL_get_rbio(VP_
ssl),VI_new_sock_id,BIO_NOCLOSE);
VI_res =
BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED,
0, &client_addr);
SSL_set_accept_state(VP_ssl);
VI_res = SSL_accept(ssl);
This ssl object is the same one which we have passed in
dtlsv1_listen method. Actually i am trying to do the ssl_accept on the
different socket for every client, even though
dtlsv1_listen happens on server socket. Could you please let me know
if it is possible.
> > VI_res = SSL_accept(ssl);
>>
>> > But ssl_accept will always return error code 2 [ i.e want read or
>> want
>> > write]
>>
>> > But if i am doing ssl_accept without doing the step no 6 it it will
>> be
>> > successful.
>>
>> Yes.
>>
>> > Could someone please let us know how to switch to newly created
>> socket,
>> > so that it can start using newly created socket for further read and
>> > write operations and original server socket will keep on listening
>> for
>> > new connections.
>>
>> Do you expect additional connections on the existing socket?
>> I've been working on some new API to make this all easier.
>>
>> Nivedita - Yes, we have multiple peers which try to connect to
same server,so in that case i need different sockets for listening
operations and one for read/write operations [one for client]
Your method may fail if you have bound your "listen" to :: (0.0.0.0),
>> and you have multiple IPs. In my case, I expect connections over IPv6 LL
>> addresses, and there are always multiple of those, and ifindex issues as
>> well.
>>
>> --
>> ] Never tell me the odds! | ipv6 mesh
>> networks [
>> ] Michael Richardson, Sandelman Software Works | network
>> architect [
>> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on
>> rails [
>>
>>
>> --=-=-=
>> Content-Type: application/pgp-signature; name="signature.asc"
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlqDM54ACgkQgItw+93Q
>> 3WW8Lgf7BwdHZbo22nUphMoVOgBek6qciLPJsa7ggwx6y/pP6kvQX/3bMn4fCx8t
>> 1H/LaTX2xgw8Incz/8RL4kkhfziDYUQJ5oe4cd4b4KIQuTLRLVELFw5RbNX4hmvx
>> tGd+KK2LMshcw/0+d/pAVtJpUdriHxKtMa3OQ7Tc+Lnqm338FRIhhqxi9/7IljW+
>> KA+vYcsCcLIpnlHfB5JfKR0N9S2ga7cUPCi4u/PRAZqTXuet4IPqxJLDVuNwCH8/
>> sbh/yYhFGSPOQG/c0ZaE1TDkcwYeE/lpcofkRdi+FNgBlUtZd9XGag5BW/lA3Rd7
>> IOCLfEDZENxWk2ki+PhDFwam5QO/Vw==
>> =v5TB
>> -----END PGP SIGNATURE-----
>> --=-=-=--
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180214/a764e291/attachment-0001.html>
More information about the openssl-users
mailing list