Hi Michael You are right, this is SHOULD, not MUST, but still it is strongly recommended.
My point was that, probably, OpenSSL should make the things as universally and portable as possible... it allows setting this bit to DF for Linux, and if FreeBSD provides the same facility, then why not use it, to make the application code as portable as possible ? And you are right, setting DF bit is not enough for PMTU discovery. But it would still be nice to have. You mentioned a patch, where can I find it ? Thanks ! Oleg > -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Michael Tuexen > Sent: Sunday, June 03, 2012 1:31 PM > To: openssl-users@openssl.org > Cc: Robin Seggelmann > Subject: Re: OpenSSL port in FreeBSD: DTLS networking problem (DF bit > not set) > > On Jun 3, 2012, at 7:56 PM, Oleg Moskalenko wrote: > > > Hi > > > > I am using the OpenSSL library with FreeBSD, primarily the DTLS > functionality. Unfortunately, what I discovered, is that the DTLS > networking requirements are implemented for Linux only in OpenSSL code. > That code is protected by #ifdef OPENSSL_SYS_LINUX and nothing is done > for other OSes (see the file bss_dgram.c, line 534 in OpenSSL 1.0.1c). > > > > For FreeBSD, that would be an easy fix - just use the socket option > IP_DONTFRAG on IPPROTO_IP level. > > > > Of course, a developer can always "manually" set the DF flag on the > UDP socket, but then the application code would not be portable. > > > > It can be fixed in either original OpenSSL code, or in FreeBSD "port" > patch for OpenSSL. > > > > Thanks ! > > Oleg Moskalenko > > > > Formal bug description: > > > > OpenSSL version: all versions with DTLS support. > > OS name: FreeBSD 7.x, 8.x, 9.x > > Compiler: any > > Application: any DTLS application > > Problem description: The DTLS packets do not have "Don't fragment" > IP flag set (DF bit). According to DTLS specs, it must always be set. > In OpenSSL code, DF bit is supported only for Linux. > Where is it specified, that the DF bit must always be set. In > http://tools.ietf.org/html/rfc6347 > I only see: > - Where allowed by the underlying transport protocol, the upper > layer protocol SHOULD be allowed to set the state of the DF bit > (in IPv4) or prohibit local fragmentation (in IPv6). > The problem is that not all OSes support controlling the DF bit. > FreeBSD > allows it. We do have a patch, which allows controlling it on platforms > which support it. > > However, providing a way to do PMTU discovery in a portable way is more > complex... > > Best regards > Michael > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
