On Sep 16, 2010, at 4:43 PM, Sebastian Proca wrote: > Hello all again, > > Thank you for your reply, Michael! It really made some more light in my issue > here! > Well, until now, I used Openssl 0.9.8k; didn't update until now because of > dependencies created, trying to avoid instability of system. > Now, that I have updated to 1.0.0a version, the behaviour of this test > changed a bit as you will see below: > > 1. I make the first step, generating the key as I did in the first mail. > > 2. Start the server: > sudo openssl s_server -cert /root/mycert.pem -www -dtls1, > > but the output is changed (now, I'll put all of it): > > > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT /* This appears right after the server starts. > > 3. Start the client (in another terminal): > openssl s_client -connect 127.0.0.1:4433 -dtls1, > > the output here, in the first instance is this: > CONNECTED(00000003) > > After the client starts, on server's side appear more "ACCEPT" messages, > until client timeout is reached. > When client reaches timeout, the following message appears in client's > terminal: > > 5315304:error:14129138:SSL routines:DTLS1_HANDLE_TIMEOUT:read timeout > expired:d1_lib.c:351: > 5315304:error:1410C0E5:SSL routines:DTLS1_WRITE_APP_DATA_BYTES:ssl handshake > failure:d1_pkt.c:1273: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 1788 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : DTLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > Start Time: 1284645962 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > > Seeing that, I tought that this is something related to my new Openssl > installation, that's why, I made the same test with "ssl2", instead of > "dtls1" and worked, so I guess that this is something nasty happening just in > dtls' case. > Is there something else that should be done here, or something I didn't do? Hmm, I'm not familiar with the output. Can you use Wireshark to trace the communication on the loopback interface? Is there a complete handshake? I would like to make sure that it is not a firewall or SELinux or some other security tool blocking the communication.
Best regards Michael > > Best reagrds, > Sebastian Proca > > --- On Wed, 9/15/10, Michael Tüxen <[email protected]> wrote: > >> From: Michael Tüxen <[email protected]> >> Subject: Re: ubuntu testing dtls capabilities >> To: [email protected] >> Date: Wednesday, September 15, 2010, 1:45 PM >> Hi Sebastian, >> >> which version of openssl are you using? 0.9.8 contains >> a lot of bugs regarding DTLS. (You can see a list of fixes >> at http://sctp.fh-muenster.de/dtls-patches.html). >> They are fixed in 1.0.? Do the same problems show up with >> 1.0.?? >> >> Best regards >> Michael >> >> On Sep 15, 2010, at 7:10 PM, Sebastian Proca wrote: >> >>> Hello all, >>> >>> I need to check(test) if my Ubuntu 10.04 with Openssl >> really uses Datagram TLS connection to encrypt a certain UDP >> flow. >>> Until now I found a way, using the s_server and >> s_client applications from apps/ directory to test if the >> dtls capabilities are supported: >>> >>> 1) First generate the key: >>> sudo openssl req -x509 -nodes -days 365 -newkey >> rsa:512 -subj '/C=CA/ST=ON/L=Ottawa/CN=www.madboa.com' >> -keyout /root/mycert.pem -out /root/mycert.pem >>> >>> 2) Start server: >>> sudo openssl s_server -cert /root/mycert.pem -www >> -dtls1 >>> >>> 3) Start the client(in another terminal): >>> openssl s_client -connect 127.0.0.1:4433 -dtls1, >>> >>> but all that the client application returns is >> "CONNECTED(00000003)", also the server returns "ACCEPT". >>> >>> I used wireshark to catch anything that would look >> like dtls events, but nothing; so I can't be sure that DTLS >> of openssl is really working. >>> Could someone tell me another way of testing dtls >> capabilities than this one? Or, do you think that this way >> of testing is enough to trust the good behaviour of this >> functionality? >>> >>> Thank you in advance, >>> Sebastian >>> >>> >>> >>> >>> >> ______________________________________________________________________ >>> OpenSSL Project >> >> http://www.openssl.org >>> User Support Mailing List >> [email protected] >>> Automated List Manager >> >> [email protected] >>> >> >> ______________________________________________________________________ >> OpenSSL Project >> >> http://www.openssl.org >> User Support Mailing List >> [email protected] >> Automated List Manager >> >> [email protected] >> > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
