Hi Yogi, could you try the patch in http://rt.openssl.org/Ticket/Display.html?id=2550 and report if it fixes your issue?
Best regards Michael On Jun 27, 2011, at 10:58 PM, Yogesh Chopra wrote: > Hi, > Please look at the debug messages attached to the original message, > These were printf's added in the DTLS code and these were messages > captured on the server. We are seeing the server start a timer when it > sends back a "HelloVerifyRequest". Based on your comments below it > appears that should not be the case but we do see the timer getting > invoked on the server in contrast to expected behavior. > > Thanks, > -Yogi > > > On Mon, Jun 27, 2011 at 1:15 AM, Robin Seggelmann > <seggelm...@fh-muenster.de> wrote: >> Hi Yogesh, >> >> I'm not sure what your problem is. If you drop all messages sent by the >> server, then the client keeps repeating its ClientHello until max >> retransmissions is reached, that is 12 times. The client starts a timer for >> every ClientHello it sends, and if it expires because there is no >> HelloVerifyRequest, it will retransmit and double the timer value. The >> server, however, never starts any timer or performs any retransmission in >> this scenario. The HelloVerifyRequest is sent as an immediate response to a >> ClientHello, with no changes in the server's state. This is done to prevent >> several attacks, which would be possible otherwise. The client has to sent >> its ClientHello again with the cookie data from the HelloVerifyRequest >> attached, before the server sends its ServerHello, for which a timer is >> started. >> >> Best regards >> Robin >> >> >> On Jun 23, 2011, at 3:50 AM, Yogesh Chopra wrote: >> >>> Hi, >>> >>> We are using DTLS API to implement a DTLS Client/Server. We notice >>> when the client application uses dtls_handle_timeout to re-transmit >>> handshake messages. The DTLS server library seems to be invoking >>> dtls_handle_timeout for every CLIENT HELLO message. >>> >>> In order to conduct some network connectivity tests, we have disbaled >>> all network >>> traffic to reach from Server to Client. i.e The Client sends CLIENT >>> HELLO, Server responds with HELLO VERIFY REQUEST but this never >>> reaches the client by using a firewall rule between client/server >>> disabling all server responses to reach the client. >>> >>> A handshake in progress looks as follows: >>> >>> >>> CLIENT -> CLIENT HELLO >>> >>> DTLS Server library calls dtls_handle_timeout >>> (1 sec timeout) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> There is a packet drop on the network layer so NO server traffic reaches the >>> client. >>> >>> This leads to client sending a CLIENT HELLO protocol message again (As the >>> DTLS >>> client application is invoking dtls_handle_timeout when timeout expires) >>> >>> So client repeats: >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (~2 sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (~4 sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (8~ sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (16~ sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (32~ sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> CLIENT -> CLIENT HELLO >>> DTLS Server library calls dtls_handle_timeout >>> (60~ sec) >>> SERVER -> HELLO VERIFY REQUEST >>> >>> >>> Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not >>> reply with a HELLO VERIFY REQUEST before 60 seconds >>> and connection does not get established (Even though we allow the >>> traffic from Server to reach the client). >>> >>> Should the DTLS Server library even start any timers before the CLIENT >>> HELLO verification is successful. >>> As per post below: >>> >>> http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html >>> >>> We see in d1_pkt.c/dtls1_read_bytes >>> >>> /* Check for timeout */ >>> if (dtls1_handle_timeout(s) > 0) >>> goto start; >>> >>> and have seen handle_timeouts being called during the connection handshake. >>> >>> It appears the Server does not respond until timer has expired. >>> >>> >>> (test excerpt) >>> >>> (10.4.0.80 is Client >>> 10.4.0.87 is Server) >>> >>> >>> 6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>> (CLIENT HELLO) >>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>> dtls_start_timer set duration = 2 >>> dtls_start_timer set duration = 2 >>> dtls1_handle_timeout retransmit message >>> do_dtls1_write just before end ssl3_write_pending >>> (0x93f4008) dtls_get_timeout timeleft = 15 999926 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 15 999873 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 15 999841 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 15 999814 >>> 16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>> (VERIFY REQUEST) >>> 16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>> (CLIENT HELLO) >>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>> dtls_start_timer set duration = 2 >>> dtls_start_timer set duration = 2 >>> dtls1_handle_timeout retransmit message >>> do_dtls1_write just before end ssl3_write_pending >>> (0x93f4008) dtls_get_timeout timeleft = 31 999925 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 31 999861 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 31 999835 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 31 999807 >>> 16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>> (VERIFY REQUEST) >>> 16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (CLIENT HELLO) >>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>> dtls_start_timer set duration = 2 >>> dtls_start_timer set duration = 2 >>> dtls1_handle_timeout retransmit message >>> do_dtls1_write just before end ssl3_write_pending >>> (0x93f4008) dtls_get_timeout timeleft = 59 999886 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999812 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999776 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999732 >>> 16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>> (VERIFY REQUEST) >>> (0x93f4008) dtls_get_timeout timeleft = 58 998175 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 998087 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 998052 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 997996 >>> 16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> 16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> >>> >>> (Now NO Server VERIFY REQUEST being sent until timer expires) >>> (0x93f4008) dtls_get_timeout timeleft = 56 998910 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998853 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998824 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998796 >>> 16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 52 998492 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 998414 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 998371 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 998321 >>> 16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 44 999946 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 999900 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 999880 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 999853 >>> 16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 28 998792 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 998711 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 998669 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 998620 >>> 16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>> dtls_start_timer set duration = 2 >>> dtls_start_timer set duration = 2 >>> dtls1_handle_timeout retransmit message >>> do_dtls1_write just before end ssl3_write_pending >>> (0x93f4008) dtls_get_timeout timeleft = 59 999887 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999794 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999774 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999747 >>> 16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>> 16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 58 998596 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 998522 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 998484 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 998433 >>> 16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 56 998715 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998634 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998594 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998543 >>> 16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 52 997529 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 997446 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 997410 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 997361 >>> 16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 44 996087 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 996046 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 996031 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 44 996011 >>> 16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 28 994862 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 994813 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 994792 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 28 994764 >>> 16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>> dtls_start_timer set duration = 2 >>> dtls_start_timer set duration = 2 >>> dtls1_handle_timeout retransmit message >>> do_dtls1_write just before end ssl3_write_pending >>> (0x93f4008) dtls_get_timeout timeleft = 59 999847 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999780 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999739 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 59 999674 >>> 16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>> 16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 58 999757 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 999679 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 999641 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 58 999588 >>> 16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 56 999150 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 999053 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 999018 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 56 998961 >>> 16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80 >>> 16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>> 16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>> (0x93f4008) dtls_get_timeout timeleft = 52 998976 >>> dtls1_handle_timeout not expired >>> (0x93f4008) dtls_get_timeout timeleft = 52 998924 >>> >>> >>> >>> Thanks, >>> -Yogi >> >> >> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
