On Jun 27, 2011, at 11:02 PM, Robin Seggelmann wrote: > Hi Yogesh, > > Yes, I noticed that after I wrote the mail. The server starts a timer after > sending the HelloVerifyRequest, although it's not supposed to. A patch is > submitted already, but has not yet appeared on the OpenSSL request tracker. In the meantime the patch is available from http://sctp.fh-muenster.de/dtls-patches.html
Best regards Michael > > Best regards > Robin > > > On 27.06.2011, at 22:58, Yogesh Chopra wrote: > >> Hi, >> Please look at the debug messages attached to the original message, >> These were printf's added in the DTLS code and these were messages >> captured on the server. We are seeing the server start a timer when it >> sends back a "HelloVerifyRequest". Based on your comments below it >> appears that should not be the case but we do see the timer getting >> invoked on the server in contrast to expected behavior. >> >> Thanks, >> -Yogi >> >> >> On Mon, Jun 27, 2011 at 1:15 AM, Robin Seggelmann >> <seggelm...@fh-muenster.de> wrote: >>> Hi Yogesh, >>> >>> I'm not sure what your problem is. If you drop all messages sent by the >>> server, then the client keeps repeating its ClientHello until max >>> retransmissions is reached, that is 12 times. The client starts a timer for >>> every ClientHello it sends, and if it expires because there is no >>> HelloVerifyRequest, it will retransmit and double the timer value. The >>> server, however, never starts any timer or performs any retransmission in >>> this scenario. The HelloVerifyRequest is sent as an immediate response to a >>> ClientHello, with no changes in the server's state. This is done to prevent >>> several attacks, which would be possible otherwise. The client has to sent >>> its ClientHello again with the cookie data from the HelloVerifyRequest >>> attached, before the server sends its ServerHello, for which a timer is >>> started. >>> >>> Best regards >>> Robin >>> >>> >>> On Jun 23, 2011, at 3:50 AM, Yogesh Chopra wrote: >>> >>>> Hi, >>>> >>>> We are using DTLS API to implement a DTLS Client/Server. We notice >>>> when the client application uses dtls_handle_timeout to re-transmit >>>> handshake messages. The DTLS server library seems to be invoking >>>> dtls_handle_timeout for every CLIENT HELLO message. >>>> >>>> In order to conduct some network connectivity tests, we have disbaled >>>> all network >>>> traffic to reach from Server to Client. i.e The Client sends CLIENT >>>> HELLO, Server responds with HELLO VERIFY REQUEST but this never >>>> reaches the client by using a firewall rule between client/server >>>> disabling all server responses to reach the client. >>>> >>>> A handshake in progress looks as follows: >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> >>>> DTLS Server library calls dtls_handle_timeout >>>> (1 sec timeout) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> There is a packet drop on the network layer so NO server traffic reaches >>>> the >>>> client. >>>> >>>> This leads to client sending a CLIENT HELLO protocol message again (As the >>>> DTLS >>>> client application is invoking dtls_handle_timeout when timeout expires) >>>> >>>> So client repeats: >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (~2 sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (~4 sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (8~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (16~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (32~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls dtls_handle_timeout >>>> (60~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not >>>> reply with a HELLO VERIFY REQUEST before 60 seconds >>>> and connection does not get established (Even though we allow the >>>> traffic from Server to reach the client). >>>> >>>> Should the DTLS Server library even start any timers before the CLIENT >>>> HELLO verification is successful. >>>> As per post below: >>>> >>>> http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html >>>> >>>> We see in d1_pkt.c/dtls1_read_bytes >>>> >>>> /* Check for timeout */ >>>> if (dtls1_handle_timeout(s) > 0) >>>> goto start; >>>> >>>> and have seen handle_timeouts being called during the connection handshake. >>>> >>>> It appears the Server does not respond until timer has expired. >>>> >>>> >>>> (test excerpt) >>>> >>>> (10.4.0.80 is Client >>>> 10.4.0.87 is Server) >>>> >>>> >>>> 6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999926 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999873 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999841 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999814 >>>> 16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> 16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999925 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999861 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999835 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999807 >>>> 16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> 16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999886 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999812 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999776 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999732 >>>> 16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998175 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998087 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998052 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 997996 >>>> 16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> 16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> >>>> >>>> (Now NO Server VERIFY REQUEST being sent until timer expires) >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998910 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998853 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998824 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998796 >>>> 16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998492 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998414 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998371 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998321 >>>> 16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999946 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999900 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999880 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999853 >>>> 16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998792 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998711 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998669 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998620 >>>> 16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999887 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999794 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999774 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999747 >>>> 16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>> 16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998596 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998522 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998484 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998433 >>>> 16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998715 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998634 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998594 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998543 >>>> 16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997529 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997446 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997410 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997361 >>>> 16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996087 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996046 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996031 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996011 >>>> 16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994862 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994813 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994792 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994764 >>>> 16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999847 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999780 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999739 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999674 >>>> 16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>> 16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999757 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999679 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999641 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999588 >>>> 16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999150 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999053 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999018 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998961 >>>> 16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998976 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998924 >>>> >>>> >>>> >>>> Thanks, >>>> -Yogi >>> >>> >>> >>> > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
