I'm wondering if there's also an error in RFC 4347 section 4.1.1:
"[...] the maximum application datagram size, which is the PMTU minus
the DTLS per-record overhead [...]"
Shouldn't it be phrased like this:
the maximum application datagram size, which is the PMTU minus the IP
per-packet overhead minus the UDP per-datagram overhead minus the DTLS
per-record overhead
-Daniel
Daniel Mentz wrote:
I've got the impression that the DTLS part of OpenSSL is based on an
incorrect understanding of the term MTU (Maximum Transmission Unit).
My understanding is that the MTU refers to the size of the IP packet
including the IP header (usually 20 bytes) and the UDP header (usually 8
bytes) in case UDP is used. This means that I can transfer 1472 bytes of
payload if the MTU is 1500 bytes.
Now, if I start openssl s_server with the following command line
./openssl s_server -dtls1 -no_ecdhe -timeout -cert large.pem -mtu 1400
and monitor packets with wireshark I can see IP packets with a total
length of 1428 bytes.
From looking at this I infere that OpenSSL interprets the MTU as the
maximum payload size of an UDP packet.
If I get rid of the -mtu parameter, rely on Path MTU discovery and set
the MTU of the outgoing interface to 1400 I don't get any communication
going. But I do see an avalanche of "Destination unreachable
(Fragmentation needed)" ICMP messages. I guess that this is due to the
incorrect understanding of the MTU. OpenSSL appears to try sending
larger packets than allowed by the PMTU.
Can anyone confirm this problem?
Thanks
-Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
