Re: [openssl-users] DTLS-over-UDP client example

[aleksandr . derevianko]

Hello !

>>
>>  With such list it works, but without encoding (data send in cleartext, 
>> connection established as Cipher: NULL-SHA)
>>
>>  and if I remove eNULL on client side, it doesn't connect - server wait 
>> repeat of client cookue forever.
>>
>>  At the same time, "openssl s_client -dtls1 ..." connects fine, with Cipher: 
>> AES256-SHA
>
> Then debug why the server is ignoring the client request.
> OpenSSL has good debug output, in worst case add new prints...
>

Actually, I have traced it to ClientHello cookie exchange: test client connects 
to server, server calls generate_cookie() and never calls verify_cookie().

If I connect to test server using openssl s_client - server calls both 
generate_cookie() and verify_cookie(), and connection establishes.

If I return eNULL back in client ciphers list, server do not call  
generate_cookie(), and connection went OK.

If I comment out SSL_CTX_set_cookie_generate_cb() on server side, it still 
doesn't connect using test client but still connectes using openssl s_client.

-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] DTLS-over-UDP client example

[aleksandr . derevianko]

Hello !

17.09.2018, 16:26, "Richard Weinberger" :
> On Thu, Sep 13, 2018 at 3:51 PM  wrote:
>>  I tryed to dig inside openssl s_client source code, but it's really too 
>> complex for me, it seems like s_client doesn't use
>>  SSL_connect, instead, using more low-level functions.
>>
>>  So, does anybody have any simple client-side implementation of DTLS over 
>> UDP connection?
>
> https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
> ... is a good example.

Unfortunelly, it's exactly this example which I use. You have pointed on 
slightly different version,
but all difference is: 

SSL_CTX_set_cookie_verify_cb(ctx, _cookie);
instead of 
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);

ctx = SSL_CTX_new(DTLS_client_method());
instead of 
ctx = SSL_CTX_new(DTLSv1_client_method());


I have tryed it, works exactly the same.

In both versions, on client side cipher_list is:
SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");

With such list it works, but without encoding (data send in cleartext, 
connection established as  Cipher: NULL-SHA)

and if I remove eNULL on client side, it doesn't connect - server wait repeat 
of client cookue forever. 

At the same time,  "openssl s_client -dtls1   ..." connects fine, with Cipher: 
AES256-SHA

>
> In case you are on 1.1.x, please also see:
> https://mta.openssl.org/pipermail/openssl-users/2018-August/008498.html
>
> OpenSSL badly regressed in 1.1.x wrt. DTLS.
>

Actually, I use openssl-1.0.2o_2,1
Also, this "regression" is for multy-threaded server, not for single-threaded 
client.


-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] DTLS-over-UDP client example

[aleksandr . derevianko]

Hello !

I'm completely new to openssl, but really need to implement simple application 
which will use DTLS over UDP.

Unfortunelly, it seems that all examples which I can find, correctly implement 
DTLS server, but not implement DTLS client side.

For example, this one:

https://github.com/nplab/DTLS-Examples/blob/master/src/dtls_udp_echo.c

implement both client and server, but all connection from client to server have 
no encoding:
SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) returns "NULL-SHA256";
It's because client side sets SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");

If I try to connect to the dtls_udp_echo application in server mode using 
openssl s_client, it connects successfully and with encoding enabled 
("AES256-SHA").

If I change client side SSL_CTX_set_cipher_list to "ALL", or "AES256:SHA" - 
SSL_connect() on client hangs forever.

I think, the reason is that server side require cookie exchange, and clients 
side doesn't implement it.
At least, if I connect using openssl s_client, on server side both 
verify_cookie and generate_cookie was called.
If I use example client, only generate_cookie was called.
Client just hangs forever, sending packets to server every few seconds until 
timeout expired (~8 minutes) and return

SSL_connect: Resource temporarily unavailable
error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired


It seems for me that for DTLS connection, SSL_connect() doesn't implement 
cookies exchange.

I tryed to dig inside openssl s_client source code, but it's really too complex 
for me, it seems like s_client doesn't use
SSL_connect, instead, using more low-level functions.


So, does anybody have any simple client-side implementation of DTLS over UDP 
connection?


-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users