[openssl-users] DTLS over UDP

Nivedita maddi.nivedita at gmail.com
Thu Feb 15 10:47:38 UTC 2018 

Hi Michael,

Please find the response inline.

Regards,
Nivedita

On Wed, Feb 14, 2018 at 10:55 PM, Michael Richardson <mcr at sandelman.ca>
wrote:

>
> Nivedita <maddi.nivedita at gmail.com> wrote:
>     > Hi Michael,
>
>     > Thanks for the reply.
>
>     > I have mentioned the answers below.
>
> >okay. I saw only one comment.  Maybe you could use standard usenet
> quoting?
> >Tell me a bit more about what you are working on?
> >I'm trying to make CoAP+DTLS work with the ruby-on-rails "David" CoAP
> server.
>

 Nivedita - We  are using c and Socket programming to establish dtls over
udp for sip communication.


>     > Nivedita <maddi.nivedita at gmail.com> wrote:
>     >> I am trying to establish DTLS over UDP connection by using
>     >> DTLSv1_listen method .
>
>     >> I have followed the below steps - 1. Created a server socket and
> using
>     >> this socket created bio and ssl object. bio =
>     >> BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);
>
>     >> 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,
>     >> SSL_OP_COOKIE_EXCHANGE);
>
>     >> 3. Then started listening using dtlsv1_listen for the new client
>     >> connections. Once dtlsv1_listen is successful and i got the peer
>     >> address.
>
>     mcr> okay.
>
>
>     > Nivedita- All the above mentioned steps i am doing on server side .
> On the
>     > client side i have already initiated ssl_connect.
>     > On the server side when i am listening using dtlsv1_listen method -
>
>     >> 4. Once i got the peer address , i am creating one more socket
>     >> 5. With the new socket i tried to connect to peer address.
>
>  >  mcr> Do you mean, you call "SSL_connect()"?
>  >  mcr> Or do you mean you bind(2) and connect(2) the socket.
>
    >You didn't answer this.
    >You imply you might have tried "SSL_connect()" on the server side.

  Nivedita - SSL_connect is already issued on client side , because of
which it triggered the server and dtlsv1_listen was successful and i got
the peer address from dtlsv1_listen.

>                Then once i  got the client address from the dtlsv1_listen
> method, i am creating one more socket  and trying to connect to this
> client  address.
>

                Vi_res=  connect(new sockid, client_addr, sizeof (client
addr));
           I am able to connect to client address which i got in
dtlsv1_listen method using new socket id.  and i want to do the ssl_accept
on the new socket id  by issuing bio_set_fd and bio_ctrl.
          But ssl_accept fails with error code 2.

                BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

     BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
 &client_addr)
            ssl_accept (VP_ssl)
     I would like to mention that VP_ssl is created using server socket id,
but we are trying to do ssl_accept on newly created socket id  which is
connected to peer address[got from dtlsv1_listen method) , so that we can
use this socket for further read-write operations and server socket for
listening operations.

>
>
>     >> 6. Then i am trying to do ssl_accept on the new socket by calling
>     >> bio_set_fd.
>
>     >> BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);
>
>     >> BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
>     >> &client_addr);
>
>     >> SSL_set_fd(ssl,VI_newsock_id);
>
>     mcr> So, SSL_set_fd() will allocate a ne bio, which probably undoes
> the effect
>     mcr> of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the
> fd of
>     mcr> the existing BIO, I think you can omit that line.
>
> Please omit the SSL_set_fd(), since you've already done it.
>
> I have a pull request at:
>     https://github.com/openssl/openssl/pull/5024
>
> which I am reworking to suit the OpenSSL team.
> I am solving the same problem that you have encountered.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180215/7d9beb8b/attachment.html>

More information about the openssl-users mailing list