Re: DTLS: Fragmentation of user data due to PMTU limits makes no sense

Hi Daniel, the UDP behaviour is a follows: If a user sends a UDP message which is larger than the PMTU, but does fit into the send buffer, it is accepted by the kernel, fragmented by the IP layer and transmitted. If the size is larger than the send buffer, the send call fails since the send

Re: DTLS: Fragmentation of user data due to PMTU limits makes no sense

On Aug 10, 2009, at 11:21 AM, David Schwartz wrote: Daniel Mentz wrote: In my understanding DTLS should provide UDP semantics when run over the later. That is correct. That is if a user message is too large in terms of the PMTU it should either be silently discarded or the sender

Certificate verification through Callback

Hi All I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg) API to register the callback function for certificate verification. However I need to set the mode (SSL_VERIFY_PEER) for SSL Context. I am using below code to set mode and callback function. Is it right way of doing

[PATCH] Fix for a memory leak and a potential buffer overflow

Hi, I've found a memory leak and a potential buffer overflow in d2i_SSL_SESSION() function. The fix is attached. Some explanations are below. 1) First part. Memory leak. When doing simply return(NULL), SSL_SESSION object at a pointer is not deallocated. I changed it so that it will be

Re: DTLS: Fragmentation of user data due to PMTU limits makes no sense

Thanks David and Michael for your answers. I should have pointed out in my original e-mail that I assume that the DF (Don't Fragment) bit is set at all times. Sure, you could use IP fragmentation and that works fine under some circumstances. But I don't want to rely on that due to the reasons

Noticed something in the openssl-1.0.0 20090811 SNAPshot

First Time I have seem Cannot find path to openssl/engines/ . In FreeBSD-7.2 and64 it is a show stopper. In the old BSDI BSD/OS 4.3.X just create directory and away you go. Suggestion: Can the path to openssl/engines/ point ot path to openssl/lib/ after all only .so's are being installed. --

Re: [PATCH] Fix for a memory leak and a potential buffer overflow

On Tue, Aug 11, 2009, Alexei Khlebnikov wrote: Hi, I've found a memory leak and a potential buffer overflow in d2i_SSL_SESSION() function. The fix is attached. Some explanations are below. 1) First part. Memory leak. When doing simply return(NULL), SSL_SESSION object at a pointer is

Re: Noticed something in the openssl-1.0.0 20090811 SNAPshot

On Tue, Aug 11, 2009, The Doctor wrote: First Time I have seem Cannot find path to openssl/engines/ . In FreeBSD-7.2 and64 it is a show stopper. In the old BSDI BSD/OS 4.3.X just create directory and away you go. Suggestion: Can the path to openssl/engines/ point ot path to

Re: DTLS: Fragmentation of user data due to PMTU limits makes no sense

On Aug 11, 2009, at 3:47 PM, Daniel Mentz wrote: Thanks David and Michael for your answers. I should have pointed out in my original e-mail that I assume that the DF (Don't Fragment) bit is set at all times. Sure, you could use IP fragmentation and that works fine under some circumstances.

Re: [PATCH] Fix for a memory leak and a potential buffer overflow

On Tue, 11 Aug 2009 17:08:19 +0200, Dr. Stephen Henson st...@openssl.org wrote: Please send any patches or bug reports to the request tracker in future. That way they don't get overlooked. I tried to do so, but I don't have an account there, guest account doesn't have rights to create a

[openssl.org #2006] [PATCH]: Do not use multiple DTLS records for a single user message

Dear all, the attached patch fixes a bug where a single user message was distributed over multiple DTLS records. Best regards Michael fragmentation.patch Description: Binary data

[openssl.org #1997] [PATCH] DTLS timeout handling bug

[seggelm...@fh-muenster.de - Mon Jul 27 17:03:25 2009]: This patch fixes the timeout handling. The method dtls1_get_timeout() was intended to determine the next handshake message timeout when using select() calls, to set their timeout. This method is renamed to DTLSv1_get_timeout(),

Re: [openssl.org #1997] [PATCH] DTLS timeout handling bug

On Aug 11, 2009, at 7:40 PM, Stephen Henson via RT wrote: [seggelm...@fh-muenster.de - Mon Jul 27 17:03:25 2009]: This patch fixes the timeout handling. The method dtls1_get_timeout() was intended to determine the next handshake message timeout when using select() calls, to set their timeout.

Re: [openssl.org #1997] [PATCH] DTLS timeout handling bug

On Tue, Aug 11, 2009, Michael Txen wrote: On Aug 11, 2009, at 7:40 PM, Stephen Henson via RT wrote: [seggelm...@fh-muenster.de - Mon Jul 27 17:03:25 2009]: This patch fixes the timeout handling. The method dtls1_get_timeout() was intended to determine the next handshake message timeout when

Re: [openssl.org #1997] [PATCH] DTLS timeout handling bug

On Aug 11, 2009, at 9:15 PM, Dr. Stephen Henson wrote: On Tue, Aug 11, 2009, Michael Txen wrote: On Aug 11, 2009, at 7:40 PM, Stephen Henson via RT wrote: [seggelm...@fh-muenster.de - Mon Jul 27 17:03:25 2009]: This patch fixes the timeout handling. The method dtls1_get_timeout() was

Re: [openssl.org #1997] [PATCH] DTLS timeout handling bug

On Tue, Aug 11, 2009, Michael Txen wrote: On Aug 11, 2009, at 9:15 PM, Dr. Stephen Henson wrote: Using SSL_ctrl() in a similar way to (for example) SSL_set_tlsext_host_name(). Do you mean using SSL_ctrl() instead of DTLSv1_get_timeout()? How should DTLSv1_handle_timeout() be handled?