DTLS has always been one of the "red-headed stepchildren" of OpenSSL. It has never received the love that the rest of the codebase has, and it needs a real maintainer.
I agree, s_client and s_server are "reference apps". On the -users list, we even recommend that people use them when they're trying to diagnose problems with their server or client code, respectively. That said, I'm not surprised to hear of bugs related to DTLS in it. (I'm not surprised to hear of bugs related to DTLS in general.) I'd recommend that you re-send your initial message to r...@openssl.org, as it is a genuine bug that should be submitted to the request tracker. -Kyle H On Wed, May 6, 2009 at 1:51 PM, Daniel Mentz <danie...@sent.com> wrote: > I built a vanilla openssl-1.0.0-beta2 and tried to run > > ./openssl s_client -dtls1 > > against > > ./openssl s_server -dtls1 > > To my disappointment it did not work properly. The client reported > > 3084506760:error:14106044:SSL > routines:DTLS1_SEND_CLIENT_KEY_EXCHANGE:internal error:d1_clnt.c:976: > > The output of the server was > > 3084805768:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert > handshake failure:d1_pkt.c:1043:SSL alert number 40 > > > After hours of debugging I found a work around which is to use > > ./openssl s_server -dtls1 -no_ecdhe -timeout > > and > > ./openssl s_client -dtls1 -timeout > > It turned out that the DTLS implementation does not support ECDHE although > it happily advertises the ECDHE cipher suites in the "Client Hello" message. > The long if-else-if-else-if-chain in dtls1_send_client_key_exchange() simply > does not account for ECDHE. So I think the corresponding ciphers should not > be included in the list of supported ciphers in the first place. > > My opinion is that s_client and s_server should always work because they are > kind of reference applications. There's little to no documentation on how to > use DTLS with OpenSSL. Taking this into account a running example is the > only basis you can build on if you're trying to use DTLS in your app. > > I hope that somebody can fix that problem or at least print out a log > message saying "No DTLS support for ECDHE" > > Thanks > Daniel Mentz > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org