[openssl-users] Information to detach a BIO from fd

Michael Richardson mcr at sandelman.ca
Sat Jan 13 21:42:35 UTC 2018


Grace Priscilla Jero <grace.priscilla at gmail.com> wrote:
    > Below is our scenario on DTLS.

    > We have multiple connections to the same server. We have mapped one fd
    > to the ssl in the server to receive all connections.

Are these connections from the same client (same 5-tuple), or are you just
talking about multiple clients?

    > Whenever a connect is initiated from any client we need to know if it
    > is already connected client or a new client. We are doing this by

    > * creating bio/ssl each time on the same fd

    > * fetching the peer using BIO_dgram_get_peer after ssl_accept

    > * Comparing it to the internally maintained list of peer

    > * If it is a new peer we continue with handshake but if it is old peer
    > we do the ssl_read.

I don't think this is going to work.

A UDP/DTLS server has two choices:

1) read all the packets on a unconnected socket and demultiplex them into
   appropriate BIOs/SSL structures.  I did not find an obvious way to do
   this, I think that a new BIO type would make this easiest.

   It also has the downside that it's hard to spread the load across
   multiple processes, although with the right locking multiple threads would
   likely work.

2) after each call to DTLSv1_listen(), set up a new fd that is bind()/connect()ed to
   the peer (by 5-tuple) so that all traffic from that peer arrives on the
   correct FD.
   AFAIK, there isn't anything to forbid two DTLS sessions between identical
   UDP sockets, as they could have differing session cookies, etc.


    > The problem is that there are 2 bio/ssl that gets created for the same
    > fd and the peer end up writing to one of them and we don't get the
    > message on the intended ssl.  Hence we are checking for a way to detach
    > and remove the ssl/bio that gets created in already connected case.

I don't think that is going to work.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180113/2317f042/attachment.sig>


More information about the openssl-users mailing list