Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
Philip Prindeville wrote: > You can create an SSL context and then bind a connection listener to > it. > If the library doesn’t specifically handle the case of DTLS (I know it > handles SSL and TLS), then it shouldn’t be too hard to cobble something > together and even get it upstreamed. Philip, DTLS is not just TLS over UDP. There is more to it that that. we are trying to do EXACTLY this, and we can't because the behaviour of DTLSv1_listen() does not let a library do this. And we can't open code actually, because it (DTLSv1_listen) uses APIs internal to libssl. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
Philip, On Wed, Aug 15, 2018 at 11:36 PM Philip Prindeville wrote: > Have a look at: > > http://www.wangafu.net/~nickm/libevent-book/Ref6a_advanced_bufferevents.html > > you don’t need a dedicated thread per connection. I know. I have already full blown single threaded event loop that works fine with OpenSSL 1.0.x. > See the section “Bufferevents and SSL” > > You can create an SSL context and then bind a connection listener to it. > > If the library doesn’t specifically handle the case of DTLS (I know it > handles SSL and TLS), then it shouldn’t be too hard to cobble something > together and even get it upstreamed. Well, it still seems to miss the fact that DTLSv1_listen() regressed in 1.1.x. I really don't see how layering libevent into my application should help here. -- Thanks, //richard -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
> On Aug 15, 2018, at 2:09 PM, Richard Weinberger wrote: > > Philip, > > Am Mittwoch, 15. August 2018, 21:36:30 CEST schrieben Sie: >> >>> [snip] >> >> >> Have you tried using Libevent? It supports SSL/TLS/DTLS connections. > > Can you please explain? I fear I miss something. Have a look at: http://www.wangafu.net/~nickm/libevent-book/Ref6a_advanced_bufferevents.html you don’t need a dedicated thread per connection. See the section “Bufferevents and SSL” You can create an SSL context and then bind a connection listener to it. If the library doesn’t specifically handle the case of DTLS (I know it handles SSL and TLS), then it shouldn’t be too hard to cobble something together and even get it upstreamed. -Philip > > Libevent seems to be able to deal with OpenSSL BIO objects. > But how is it supposed to help me with the DTLSv1_listen() issue? > > A quick grep on the Libevent sources does not show calls to DTLSv1_listen() > and I don't think that it is open coding it. At least I hope so. > > The problem I see is not about event processing, it is about OpenSSL 1.1.x's > re-write of DTLSv1_listen(). > > Thanks, > //richard > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
Philip, Am Mittwoch, 15. August 2018, 21:36:30 CEST schrieben Sie: > > > On Aug 11, 2018, at 9:22 AM, Richard Weinberger wrote: > > > > Hi! > > > > I have a hard time figuring how to write a DTLS UDP server that supports > > multiple > > clients. My dummy single user server works fine. > > > > To support multiple clients I tried two approaches: > > 1. singled threaded async IO, preferred since I have to deal with many > > clients > > 2. multi threaded, one thread per client > > > > Both approaches seem to be doomed for the very same reason, namely that > > DTLSv1_listen() does peek into the kernel queue and does not consume > > the client hello from the UDP socket. > > > > Both loop around DTLSv1_listen() and as soon the function returns > 0 a new > > socket for the client is created using bind/connect and the client address > > as returned by DTLSv1_listen(). > > > > This client socket is then passed to a new thread or feed into the event > > loop. > > In both cases the client hello is still in the queue of the server socket > > and the program will over and over create new client sockets. > > > > After searching the web for examples I've found this thread[0], where the > > approaches > > I tried are advertised. > > In [1] the demo server at [3] is suggested as good example. > > > > dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it > > fails in > > the same way. > > As soon one client connects, it creates over and over new sockets until it > > dies due > > to too many open files. > > > > After digging a bit into the source it looks to me like since commit [3], > > DTLSv1_listen() assumes that you re-use the same socket for the new client. > > Which makes supporting multiple clients impossible. > > > > Given that I'm not an OpenSSL DTLS expert I still hope I miss something. > > Can you please help me to figure what the correct approach for multiple > > clients is? > > > > Thanks, > > //richard > > > Have you tried using Libevent? It supports SSL/TLS/DTLS connections. Can you please explain? I fear I miss something. Libevent seems to be able to deal with OpenSSL BIO objects. But how is it supposed to help me with the DTLSv1_listen() issue? A quick grep on the Libevent sources does not show calls to DTLSv1_listen() and I don't think that it is open coding it. At least I hope so. The problem I see is not about event processing, it is about OpenSSL 1.1.x's re-write of DTLSv1_listen(). Thanks, //richard -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
> On Aug 11, 2018, at 9:22 AM, Richard Weinberger wrote: > > Hi! > > I have a hard time figuring how to write a DTLS UDP server that supports > multiple > clients. My dummy single user server works fine. > > To support multiple clients I tried two approaches: > 1. singled threaded async IO, preferred since I have to deal with many clients > 2. multi threaded, one thread per client > > Both approaches seem to be doomed for the very same reason, namely that > DTLSv1_listen() does peek into the kernel queue and does not consume > the client hello from the UDP socket. > > Both loop around DTLSv1_listen() and as soon the function returns > 0 a new > socket for the client is created using bind/connect and the client address > as returned by DTLSv1_listen(). > > This client socket is then passed to a new thread or feed into the event loop. > In both cases the client hello is still in the queue of the server socket > and the program will over and over create new client sockets. > > After searching the web for examples I've found this thread[0], where the > approaches > I tried are advertised. > In [1] the demo server at [3] is suggested as good example. > > dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it > fails in > the same way. > As soon one client connects, it creates over and over new sockets until it > dies due > to too many open files. > > After digging a bit into the source it looks to me like since commit [3], > DTLSv1_listen() assumes that you re-use the same socket for the new client. > Which makes supporting multiple clients impossible. > > Given that I'm not an OpenSSL DTLS expert I still hope I miss something. > Can you please help me to figure what the correct approach for multiple > clients is? > > Thanks, > //richard Have you tried using Libevent? It supports SSL/TLS/DTLS connections. -Philip -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
Please could you raise this as a github issue? I'll try and take a look at it (although it may be a while since my current focus is on the 1.1.1 release). Matt On 11/08/18 16:22, Richard Weinberger wrote: > Hi! > > I have a hard time figuring how to write a DTLS UDP server that supports > multiple > clients. My dummy single user server works fine. > > To support multiple clients I tried two approaches: > 1. singled threaded async IO, preferred since I have to deal with many clients > 2. multi threaded, one thread per client > > Both approaches seem to be doomed for the very same reason, namely that > DTLSv1_listen() does peek into the kernel queue and does not consume > the client hello from the UDP socket. > > Both loop around DTLSv1_listen() and as soon the function returns > 0 a new > socket for the client is created using bind/connect and the client address > as returned by DTLSv1_listen(). > > This client socket is then passed to a new thread or feed into the event loop. > In both cases the client hello is still in the queue of the server socket > and the program will over and over create new client sockets. > > After searching the web for examples I've found this thread[0], where the > approaches > I tried are advertised. > In [1] the demo server at [3] is suggested as good example. > > dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it > fails in > the same way. > As soon one client connects, it creates over and over new sockets until it > dies due > to too many open files. > > After digging a bit into the source it looks to me like since commit [3], > DTLSv1_listen() assumes that you re-use the same socket for the new client. > Which makes supporting multiple clients impossible. > > Given that I'm not an OpenSSL DTLS expert I still hope I miss something. > Can you please help me to figure what the correct approach for multiple > clients is? > > Thanks, > //richard > > P.s: I'm on Linux, OpenSSL 1.1.0h, but tried as OpenSSL git as of today. > > [0] https://mta.openssl.org/pipermail/openssl-users/2018-April/007861.html > [1] https://mta.openssl.org/pipermail/openssl-users/2018-April/007864.html > [2] > https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c > [3] > https://github.com/openssl/openssl/commit/e3d0dae7cf8363ca462ac425b72c7bb31c3b4b7a > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Multi client DTLS server on OpenSSL 1.1.x broken?
Hi! I have a hard time figuring how to write a DTLS UDP server that supports multiple clients. My dummy single user server works fine. To support multiple clients I tried two approaches: 1. singled threaded async IO, preferred since I have to deal with many clients 2. multi threaded, one thread per client Both approaches seem to be doomed for the very same reason, namely that DTLSv1_listen() does peek into the kernel queue and does not consume the client hello from the UDP socket. Both loop around DTLSv1_listen() and as soon the function returns > 0 a new socket for the client is created using bind/connect and the client address as returned by DTLSv1_listen(). This client socket is then passed to a new thread or feed into the event loop. In both cases the client hello is still in the queue of the server socket and the program will over and over create new client sockets. After searching the web for examples I've found this thread[0], where the approaches I tried are advertised. In [1] the demo server at [3] is suggested as good example. dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in the same way. As soon one client connects, it creates over and over new sockets until it dies due to too many open files. After digging a bit into the source it looks to me like since commit [3], DTLSv1_listen() assumes that you re-use the same socket for the new client. Which makes supporting multiple clients impossible. Given that I'm not an OpenSSL DTLS expert I still hope I miss something. Can you please help me to figure what the correct approach for multiple clients is? Thanks, //richard P.s: I'm on Linux, OpenSSL 1.1.0h, but tried as OpenSSL git as of today. [0] https://mta.openssl.org/pipermail/openssl-users/2018-April/007861.html [1] https://mta.openssl.org/pipermail/openssl-users/2018-April/007864.html [2] https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c [3] https://github.com/openssl/openssl/commit/e3d0dae7cf8363ca462ac425b72c7bb31c3b4b7a -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
