Re: [openssl-users] DTLS-over-UDP client example
Hello ! >> >> With such list it works, but without encoding (data send in cleartext, >> connection established as Cipher: NULL-SHA) >> >> and if I remove eNULL on client side, it doesn't connect - server wait >> repeat of client cookue forever. >> >> At the same time, "openssl s_client -dtls1 ..." connects fine, with Cipher: >> AES256-SHA > > Then debug why the server is ignoring the client request. > OpenSSL has good debug output, in worst case add new prints... > Actually, I have traced it to ClientHello cookie exchange: test client connects to server, server calls generate_cookie() and never calls verify_cookie(). If I connect to test server using openssl s_client - server calls both generate_cookie() and verify_cookie(), and connection establishes. If I return eNULL back in client ciphers list, server do not call generate_cookie(), and connection went OK. If I comment out SSL_CTX_set_cookie_generate_cb() on server side, it still doesn't connect using test client but still connectes using openssl s_client. -- Александр Деревянко/Aleksander Derevianko Нач. отдела новых аппаратно-программных средств Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd. T: +74959255370 Доб. 265 M: +79859229755 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DTLS-over-UDP client example
Hello ! 17.09.2018, 16:26, "Richard Weinberger" : > On Thu, Sep 13, 2018 at 3:51 PM wrote: >> I tryed to dig inside openssl s_client source code, but it's really too >> complex for me, it seems like s_client doesn't use >> SSL_connect, instead, using more low-level functions. >> >> So, does anybody have any simple client-side implementation of DTLS over >> UDP connection? > > https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c > ... is a good example. Unfortunelly, it's exactly this example which I use. You have pointed on slightly different version, but all difference is: SSL_CTX_set_cookie_verify_cb(ctx, _cookie); instead of SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie); ctx = SSL_CTX_new(DTLS_client_method()); instead of ctx = SSL_CTX_new(DTLSv1_client_method()); I have tryed it, works exactly the same. In both versions, on client side cipher_list is: SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5"); With such list it works, but without encoding (data send in cleartext, connection established as Cipher: NULL-SHA) and if I remove eNULL on client side, it doesn't connect - server wait repeat of client cookue forever. At the same time, "openssl s_client -dtls1 ..." connects fine, with Cipher: AES256-SHA > > In case you are on 1.1.x, please also see: > https://mta.openssl.org/pipermail/openssl-users/2018-August/008498.html > > OpenSSL badly regressed in 1.1.x wrt. DTLS. > Actually, I use openssl-1.0.2o_2,1 Also, this "regression" is for multy-threaded server, not for single-threaded client. -- Александр Деревянко/Aleksander Derevianko Нач. отдела новых аппаратно-программных средств Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd. T: +74959255370 Доб. 265 M: +79859229755 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] DTLS-over-UDP client example
Hello ! I'm completely new to openssl, but really need to implement simple application which will use DTLS over UDP. Unfortunelly, it seems that all examples which I can find, correctly implement DTLS server, but not implement DTLS client side. For example, this one: https://github.com/nplab/DTLS-Examples/blob/master/src/dtls_udp_echo.c implement both client and server, but all connection from client to server have no encoding: SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) returns "NULL-SHA256"; It's because client side sets SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5"); If I try to connect to the dtls_udp_echo application in server mode using openssl s_client, it connects successfully and with encoding enabled ("AES256-SHA"). If I change client side SSL_CTX_set_cipher_list to "ALL", or "AES256:SHA" - SSL_connect() on client hangs forever. I think, the reason is that server side require cookie exchange, and clients side doesn't implement it. At least, if I connect using openssl s_client, on server side both verify_cookie and generate_cookie was called. If I use example client, only generate_cookie was called. Client just hangs forever, sending packets to server every few seconds until timeout expired (~8 minutes) and return SSL_connect: Resource temporarily unavailable error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired It seems for me that for DTLS connection, SSL_connect() doesn't implement cookies exchange. I tryed to dig inside openssl s_client source code, but it's really too complex for me, it seems like s_client doesn't use SSL_connect, instead, using more low-level functions. So, does anybody have any simple client-side implementation of DTLS over UDP connection? -- Александр Деревянко/Aleksander Derevianko Нач. отдела новых аппаратно-программных средств Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd. T: +74959255370 Доб. 265 M: +79859229755 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users