Hi, I could only access the patch at the link: http://sctp.fh-muenster.de/dtls-patches.html
as I do not have login credentials for http://rt.openssl.org/Ticket/Display.html?id=2550 So I am not sure if the 2 places above have different patches. Post applying this patch I acknowledge, I do not see any timer getting started on DTLS server. However, The server side of code still seems to be calling dtls_handle_timeout and the test results are not good. The setup is same as before (where traffic from server is blocked to client). The Server responds only once with a HELLO_VERIFY response for a HELLO request and then never sends a HELLO_VERIFY response for subsequent CLIENT HELLO messages CLIENT SERVER HELLO ---> HELLO_VERIFY (For First request) Post first request HELLO ---> There is no response from SERVER See a trace of some debug messages and tcp messages captured: (10.10.100.80 is DTLS client & 10.10.100.87 is DTLS server) 15:11:46.376027 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 (CLIENT HELLO) 15:11:46.376445 IP 10.4.0.87.5555 > 10.4.0.80.35233: UDP, length 48 (HELLO VERIFY) libstratassl :SSL DTLSv1_listen in progress 15:11:47.374784 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 (CLIENT HELLO) (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set libstratassl :SSL DTLSv1_listen in progress 15:11:49.377222 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set libstratassl :SSL DTLSv1_listen in progress 15:11:51.377016 arp who-has 10.4.0.80 tell 10.4.0.87 15:11:51.378266 arp reply 10.4.0.80 is-at 00:b0:d0:79:60:b7 15:11:53.376699 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set dtls1_handle_timeout not expired (0x8a08ff8) dtls_get_timeout no timeout set libstratassl :SSL DTLSv1_listen in progress 15:12:01.379241 IP 10.4.0.80.35233 > 10.4.0.87.5555: UDP, length 154 Even when I drop the firewall rule blocking any server responses to client. The DTLS connection never succeeds, the DTLS server continues being in DTLSv1_listen in progress state. I removed the patch and restored OpenSSL to its earlier state and get back to the behavior where server side timer starts and when I remove firewall rule the connection re-establishes, although due to server timer running, it can take a minute or so for client to get connection handshake established. So it appears with the patch applied the Server is not working as expected post sending a first HELLOVERIFY it stops sending a HELLOVERIFY for subsequent CLIENT HELLO messages. Thanks, -Yogi On Thu, Jun 30, 2011 at 2:37 PM, Michael Tüxen <michael.tue...@lurchi.franken.de> wrote: > Hi Yogi, > > could you try the patch in > http://rt.openssl.org/Ticket/Display.html?id=2550 > and report if it fixes your issue? > > Best regards > Michael > On Jun 27, 2011, at 10:58 PM, Yogesh Chopra wrote: > >> Hi, >> Please look at the debug messages attached to the original message, >> These were printf's added in the DTLS code and these were messages >> captured on the server. We are seeing the server start a timer when it >> sends back a "HelloVerifyRequest". Based on your comments below it >> appears that should not be the case but we do see the timer getting >> invoked on the server in contrast to expected behavior. >> >> Thanks, >> -Yogi >> >> >> On Mon, Jun 27, 2011 at 1:15 AM, Robin Seggelmann >> <seggelm...@fh-muenster.de> wrote: >>> Hi Yogesh, >>> >>> I'm not sure what your problem is. If you drop all messages sent by the >>> server, then the client keeps repeating its ClientHello until max >>> retransmissions is reached, that is 12 times. The client starts a timer for >>> every ClientHello it sends, and if it expires because there is no >>> HelloVerifyRequest, it will retransmit and double the timer value. The >>> server, however, never starts any timer or performs any retransmission in >>> this scenario. The HelloVerifyRequest is sent as an immediate response to a >>> ClientHello, with no changes in the server's state. This is done to prevent >>> several attacks, which would be possible otherwise. The client has to sent >>> its ClientHello again with the cookie data from the HelloVerifyRequest >>> attached, before the server sends its ServerHello, for which a timer is >>> started. >>> >>> Best regards >>> Robin >>> >>> >>> On Jun 23, 2011, at 3:50 AM, Yogesh Chopra wrote: >>> >>>> Hi, >>>> >>>> We are using DTLS API to implement a DTLS Client/Server. We notice >>>> when the client application uses dtls_handle_timeout to re-transmit >>>> handshake messages. The DTLS server library seems to be invoking >>>> dtls_handle_timeout for every CLIENT HELLO message. >>>> >>>> In order to conduct some network connectivity tests, we have disbaled >>>> all network >>>> traffic to reach from Server to Client. i.e The Client sends CLIENT >>>> HELLO, Server responds with HELLO VERIFY REQUEST but this never >>>> reaches the client by using a firewall rule between client/server >>>> disabling all server responses to reach the client. >>>> >>>> A handshake in progress looks as follows: >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> >>>> DTLS Server library calls >>>> dtls_handle_timeout (1 sec timeout) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> There is a packet drop on the network layer so NO server traffic reaches >>>> the >>>> client. >>>> >>>> This leads to client sending a CLIENT HELLO protocol message again (As the >>>> DTLS >>>> client application is invoking dtls_handle_timeout when timeout expires) >>>> >>>> So client repeats: >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (~2 sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (~4 sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (8~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (16~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (32~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> CLIENT -> CLIENT HELLO >>>> DTLS Server library calls >>>> dtls_handle_timeout (60~ sec) >>>> SERVER -> HELLO VERIFY REQUEST >>>> >>>> >>>> Say the CLIENT HELLO comes before 60 seconds, The DTLS server does not >>>> reply with a HELLO VERIFY REQUEST before 60 seconds >>>> and connection does not get established (Even though we allow the >>>> traffic from Server to reach the client). >>>> >>>> Should the DTLS Server library even start any timers before the CLIENT >>>> HELLO verification is successful. >>>> As per post below: >>>> >>>> http://www.mail-archive.com/openssl-dev@openssl.org/msg28844.html >>>> >>>> We see in d1_pkt.c/dtls1_read_bytes >>>> >>>> /* Check for timeout */ >>>> if (dtls1_handle_timeout(s) > 0) >>>> goto start; >>>> >>>> and have seen handle_timeouts being called during the connection handshake. >>>> >>>> It appears the Server does not respond until timer has expired. >>>> >>>> >>>> (test excerpt) >>>> >>>> (10.4.0.80 is Client >>>> 10.4.0.87 is Server) >>>> >>>> >>>> 6:34:43.051411 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999926 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999873 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999841 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 15 999814 >>>> 16:34:43.052004 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> 16:34:59.053593 IP 10.4.0.80.34071 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999925 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999861 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999835 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 31 999807 >>>> 16:34:59.053981 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> 16:35:04.053277 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:35:04.053283 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:36:31.056286 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (CLIENT HELLO) >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999886 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999812 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999776 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999732 >>>> 16:36:31.056737 IP 10.4.0.87.5555 > 10.4.0.80.34071: UDP, length 48 >>>> (VERIFY REQUEST) >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998175 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998087 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998052 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 997996 >>>> 16:36:32.056920 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> 16:36:34.057525 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> >>>> >>>> (Now NO Server VERIFY REQUEST being sent until timer expires) >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998910 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998853 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998824 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998796 >>>> 16:36:36.055854 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:36:36.055883 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:36:38.057812 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998492 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998414 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998371 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998321 >>>> 16:36:46.056386 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999946 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999900 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999880 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 999853 >>>> 16:37:02.057537 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998792 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998711 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998669 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 998620 >>>> 16:37:07.057325 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:37:07.057333 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:38:34.072307 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999887 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999794 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999774 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999747 >>>> 16:38:34.072837 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>> 16:38:35.073819 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998596 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998522 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998484 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 998433 >>>> 16:38:37.073698 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998715 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998634 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998594 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998543 >>>> 16:38:39.070892 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:38:39.070913 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:38:41.074917 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997529 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997446 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997410 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 997361 >>>> 16:38:49.076478 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996087 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996046 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996031 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 44 996011 >>>> 16:39:05.077624 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994862 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994813 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994792 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 28 994764 >>>> 16:39:10.077335 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:39:10.077369 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:40:37.084404 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft expired = 0 0 >>>> dtls_start_timer set duration = 2 >>>> dtls_start_timer set duration = 2 >>>> dtls1_handle_timeout retransmit message >>>> do_dtls1_write just before end ssl3_write_pending >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999847 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999780 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999739 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 59 999674 >>>> 16:40:37.085251 IP 10.4.0.87.5555 > 10.4.0.80.34111: UDP, length 48 >>>> 16:40:38.085004 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999757 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999679 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999641 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 58 999588 >>>> 16:40:40.085632 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999150 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999053 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 999018 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 56 998961 >>>> 16:40:42.083894 arp who-has 10.4.0.87 tell 10.4.0.80 >>>> 16:40:42.083903 arp reply 10.4.0.87 is-at 00:30:48:53:74:67 >>>> 16:40:44.085915 IP 10.4.0.80.34111 > 10.4.0.87.5555: UDP, length 154 >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998976 >>>> dtls1_handle_timeout not expired >>>> (0x93f4008) dtls_get_timeout timeleft = 52 998924 >>>> >>>> >>>> >>>> Thanks, >>>> -Yogi >>> >>> >>> >>> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
