Resetting DTLS server

Patrick Herbst paherbst at
Tue Nov 12 13:30:53 UTC 2019

On Tue, Nov 12, 2019 at 3:00 AM Michael Richardson <mcr at> wrote:
> On 2019-11-12 7:38 a.m., Patrick Herbst wrote:
> > If i setup a DTLS server, the client can connect once and send
> > messages find.  but if the client restarts and tries to send data, the
> > server hangs on SSL_read.
> How are you handling the sockets on the server?
> If you are creating a new 5-tuple [bind/connect] socket on the server
> for each client, and the client then reuses it's socket, then it's
> trying to speak the old instance on the server.
> > I'm assuming the server does not like a clienthello message when it is
> > expecting application data.
> >
> > How can the server be made to recover and re-handshake with the
> > restarted client?
> Close the UDP socket on the client and open a new one to get a new
> source port.
> Does that work?  I'm not terribly happy with this solution, but it does
> match what TCP would do.

In general, here is what i do (assuming only 1 client for proof of
concept, and skipping some mundane steps)
also assuming the client is using the same addr/port, so "connect"
would not make a difference.

s=socket(AF_INET, SOCK_DGRAM, 0);
bind(s, &serverAddr, sizeof(serverAddr));
bio=BIO_new_dgram(s, BIO_NOCLOSE);

while (1) {
  select(FD_SETSIZE, fds, NULL, NULL, NULL);
  if (FD_ISSET(s)) {
    n=SSL_read(ssl, buffer, sizeof(buffer));
    if (n>0) {
      printf("rx: %s\n", buffer);
    } else {
      printf("bad things\n");

What happens is form the Server standpoint, it doesn't know when a
client restarts.  When the client does restart, the server blocks on
SSL_read while the internals of the library keep reading packets until
it gets app data... so it ignores another clienthello, but doesn't
notify the server of that condition.

am i missing something? is this worth fixing in the library?  is this
intended behavior?

More information about the openssl-users mailing list