On Jul 23, 2011, at 3:14 AM, Yogesh Chopra wrote: > Hi, > While testing DTLS on windows ran into the following problem with scenario > described as below: Does the same happen when running the server on Linux?
Robin will look into this on Monday. Best regards Michael > > There are 2 problems: > > 1. Server issuing a SSLv3 ALERT BAD RECORD MAC > 2. Server unable to detect an error when this happens as SSL_accept returns > SSL_WANTS_READ/SSL_WANTS_WRITE where as Client it returns SSL error. > > (Using OpenSSL-1.0.0d + all DTLS patches + Heart beat feature) > > Server (Windows) Client (Linux or Windows) > > 1. Start server Start client > > (Once a DTLS connection is established and heart beats getting exchanged, > Quickly restart the DTLS server.) > > 2. Restart server > > > (The DTLS client enters into re-tries and continues retrying until the 12 > connection attempts are exhausted) > > 3. Server running Client attempting to > revive the connection and continues sending heart beat messages > Server does not > send any responses for these messages (as it has not seen any new CLIENT > HELLO messages yet) > > 4. Client closes > this connection and starts a new connection with a new source port, sends a > CLIENT HELLO > Server responds with HELLO+VERIFY > CLIENTHELLO + > COOKIE > SERVERHELL+SERV CERT+ SERVER KEY EXCHANGE > CLIENT CERT + > CLIENT KEY EXCHANGE+ CERT VERIFY > > SSLV3 ALERT BAD RECORD MAC > SSL_Connect > returns an error on client > > > The DTLS server issues a SSLV3 ALERT BAD RECORD MAC when the client attempts > a new connection after it has seen some heart beats for a client that is > re-negotiating. > > Server issues the SSLv3 ALERT BAD RECORD MAC as part of SSL_accept which on > server side returns SSL_WANT_READ or SSL_WANT_WRITE and does not return any > ERROR > where as the Client side on SSL_connect gets a SSL_ERROR > > So on the Server side there is no way to know that this connection is > actually in error as SSL_accept does not issue any errors. > > > Thanks, > -Yogi > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
