Hi Daniel,
I looked at the code for path MTU discovery, which is pretty
broken.
crypto/bio/bss_diagram.c contains
#define IP_MTU 14 /* linux is lame */
if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void
*)&sockopt_val,
&sockopt_len)) < 0 || sockopt_val < 0)
which is broken if the socket option ID is not correct. On Mac OS X we
have
#define IP_MULTICAST_VIF 14 /* set/get IP mcast virt. iface */
So it might work on Linux, but one should never define the
socket option ID...
Which OS are you using?
I'll talk to Robin, how we can handle that...
Best regards
Michael
On May 13, 2009, at 12:48 AM, Michael Tüxen wrote:
Hi Daniel,
yes, you are right. The command line arg is passed to
SSL_set_mtu() which just sets d1->mtu.
The rest of the code assumes that d1->mtu does
only covers the UDP payload. So we need to fix
the handling of SSL_CTRL_SET_MTU to reduce the
value by 20+8.
Regarding path MTU discovery there seems to be a similar
problem, since we have
case BIO_CTRL_DGRAM_QUERY_MTU:
sockopt_len = sizeof(sockopt_val);
if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void
*)&sockopt_val,
&sockopt_len)) < 0 || sockopt_val < 0)
{ ret = 0; }
else
{
data->mtu = sockopt_val;
ret = data->mtu;
}
break;
So I guess this also needs a reduction.
Robin, can you provide a patch?
Daniel, can you test the patch when it is available? The path MTU
discovery might be platform specific...
Best regards
Michael
On May 12, 2009, at 8:24 PM, Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on
an incorrect understanding of the term MTU (Maximum Transmission
Unit).
My understanding is that the MTU refers to the size of the IP
packet including the IP header (usually 20 bytes) and the UDP
header (usually 8 bytes) in case UDP is used. This means that I can
transfer 1472 bytes of payload if the MTU is 1500 bytes.
Now, if I start openssl s_server with the following command line
./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem -mtu
1400
and monitor packets with wireshark I can see IP packets with a
total length of 1428 bytes.
From looking at this I infere that OpenSSL interprets the MTU as
the maximum payload size of an UDP packet.
If I get rid of the -mtu parameter, rely on Path MTU discovery and
set the MTU of the outgoing interface to 1400 I don't get any
communication going. But I do see an avalanche of "Destination
unreachable (Fragmentation needed)" ICMP messages. I guess that
this is due to the incorrect understanding of the MTU. OpenSSL
appears to try sending larger packets than allowed by the PMTU.
Can anyone confirm this problem?
Thanks
-Daniel
______________________________________________________________________
OpenSSL Project http://
www.openssl.org
User Support Mailing List openssl-
us...@openssl.org
Automated List Manager
majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
