Hi,
While testing DTLS on windows ran into the following problem with scenario
described as below:
There are 2 problems:
*1. Server issuing a SSLv3 ALERT BAD RECORD MAC*
*2. Server unable to detect an error when this happens as SSL_accept returns
SSL_WANTS_READ/SSL_WANTS_WRITE where as Client it returns SSL error.*
(Using OpenSSL-1.0.0d + all DTLS patches + Heart beat feature)
Server (Windows) Client (Linux or Windows)
1. Start server Start client
(Once a DTLS connection is established and heart beats getting exchanged,
Quickly restart the DTLS server.)
2. Restart server
(The DTLS client enters into re-tries and continues retrying until the 12
connection attempts are exhausted)
3. Server running Client attempting to
revive the connection and continues sending heart beat messages
Server does not
send any responses for these messages (as it has not seen any new CLIENT
HELLO messages yet)
4. Client closes
this connection and starts a new connection with a new source port, sends a
CLIENT HELLO
Server responds with HELLO+VERIFY
CLIENTHELLO +
COOKIE
SERVERHELL+SERV CERT+ SERVER KEY EXCHANGE
CLIENT CERT +
CLIENT KEY EXCHANGE+ CERT VERIFY
SSLV3 ALERT BAD RECORD MAC
SSL_Connect
returns an error on client
The DTLS server issues a SSLV3 ALERT BAD RECORD MAC when the client attempts
a new connection after it has seen some heart beats for a client that is
re-negotiating.
Server issues the SSLv3 ALERT BAD RECORD MAC as part of *SSL_accept which on
server side returns SSL_WANT_READ or SSL_WANT_WRITE and does not return any
ERROR*
where as the Client side on SSL_connect gets a SSL_ERROR
So on the Server side there is no way to know that this connection is
actually in error as SSL_accept does not issue any errors.
Thanks,
-Yogi
