Hi, OpenSSL 0.9.8 doesn't seem to handle fragmented DTLS handshake (certificate) messages correctly.
As seen in the following example s_client fails to connect to s_server using the DTLS protocol if the MTU it set to 1500 (default for Ethernet). The same commands succeeds when using a large MTU, for example 65000. $ openssl s_server -accept 5069 -dtls1 -cert /etc/apache/ssl.crt/snakeoil-dsa.crt -key /etc/apache/ssl.key/snakeoil-dsa.key -CAfile /etc/apache/ssl.crt/snakeoil-ca-dsa.crt -mtu 1500 Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 3407:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad certificate:d1_pkt.c:943:SSL alert number 42 shutting down SSL CONNECTION CLOSED ACCEPT $ openssl s_client -host localhost -port 5069 -dtls1 CONNECTED(00000003) 3409:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142: 3409:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1269: 3409:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:653: 3409:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:704: 3409:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:Field=subject, Type=X509_CINF 3409:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:743:Field=cert_info, Type=X509 3409:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c:866: The attached patch solves the problem for me. This is reported as bug #335703 in the Debian BTS. Please keep Cc to [EMAIL PROTECTED] in answers to this message. /Mikael ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
