> On 13. Apr 2017, at 19:26, Martin Brejcha <martin.brej...@mavenir.com> wrote:
> 
> 
> 
> Matt Caswell wrote on 04/13/2017 03:45 PM:
>> 
>> 
>> On 13/04/17 10:11, mahesh gs wrote:
>>> Hi,
>>> 
>>> We are running SCTP connections with DTLS enabled in our application. We
>>> have adapted openssl version (openssl-1.1.0e) to achieve the same.
>>> 
>>> We have generated the self signed root and node certificates for
>>> testing. We have a strange problem with the incomplete DTLS handshake if
>>> we run the DTLS client and DTLS server is different systems.If we run
>>> the DTLS client and server in same system handshake is successful,
>>> handshake is not successful if run client and server in different VM's.
>>> 
>>> This strange problem happens only for SCTP/DTLS connection. With the
>>> same set of certificates TCP/TLS connection is successful and we are
>>> able to exchange the application data.
>>> 
>>> I am attaching the code bits for SSL_accept and SSL_connect and also the
>>> wireshark trace of unsuccessful handshake. Please assist me to debug
>>> this problem.
>>> 
>>> SSL_accept returns  SSL_ERROR_WANT_READ(2) infinite times but
>>> SSL_connect is called 4 or 5 times and select system call timeout.
>> 
>> Your trace shows the following interactions occurring:
>> 
>> Client                         Server
>> ------                         ------
>> 
>> ClientHello          -------->
>>                     <-------- ServerHello
>>                     <-------- Certificate
>>                     <-------- CertificateRequest
>>                     <-------- ServerDone
>> Certificate          --------->
>> ClientKeyExchange    --------->
>> CertificateVerify    --------->
>> CCS                  --------->
>> [Encrypted Finished]
>> 
>> We would expect the server to continue with its own CCS and Encrypted
>> Finished to complete the handshake. It seems that, for some reason, the
>> server is not receiving (or acting upon) the client's second flight of
>> messages.
>> 
>> Normally in DTLS this sort of thing can happen due to lost messages etc
>> but, obviously, with SCTP, this is not the case. Something else must be
>> happening.
>> 
> 
> There are some SCTP segmented messages during handshake.
> May be some issue in reassembling could lead to strange behavior.
> Can be observed these segmented messages also when the handshake is 
> successful?
Which OS are you using?

The OpenSSL code expects the kernel to reassemble the messages. Can you check
if this is true using truss on FreeBSD or a similar tool on Linux?

Best regards
Michael
> 
> M.
> 
> 
>> In your description you say SSL_accept() gets called repeatedly and
>> always gives SSL_ERROR_WANT_READ. Looking at your code it looks like you
>> are calling pollSocketForEvents() after each accept. I am assuming that
>> this is returning true each time (otherwise you would break out of the
>> loop). This suggests that the "select" call thinks there is something to
>> read from the underlying socket. Am I correct? The question is why
>> doesn't OpenSSL then read that data out of the socket?
>> 
>> Are you able to build a debug version of OpenSSL (run "config" with -d),
>> and step through to figure out where it gets stuck. Is it attempting to
>> read the data and failing, or does it not get as far attempting to read it?
>> 
>> Another question: does this fail every time or does it sometimes work
>> and sometimes not (which might suggest some race condition)?
>> 
>> Matt
>> 
> <0xB42AB632.asc>-- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to