On 04/14/2015 09:02 PM, Matt Caswell wrote: > > > On 14/04/15 19:45, Florian Weimer wrote: >> Is it possible to use DTLS with some sort of non-socket BIO? >> >> Basically, I have datagrams which I know belong to a specific DTLS >> session, and I want to feed them to OpenSSL and get back further >> datagrams to send out in response. (This is similar to what SSLEngine >> does in OpenJDK, except there it's for plain TLS.) > > DTLS currently supports UDP and SCTP for the underlying BIO. In theory > you could implement your own BIO to do whatever you want but it would > have to support the BIO ctrls that DTLS uses - see > crypto/bio/bss_dgram.c (in particular the dgram_ctrl and dgram_sctp_ctrl > functions) Interesting. Is this part of the public API? >> An example how to establish a DTLS session with multiple peers over an >> unconnected socket would help, too. >> > > To do that you need to use DTLSv1_listen(). I recently wrote a man page > for this function, but it hasn't hit the repo yet. Attached FYI. Thanks. DTLSv1_listen is very odd because it has a socket address as an ?out? parameter, but no socket address length as an ?in/out? argument. It doesn't seem very transport-agnostic, either. -- Florian Weimer / Red Hat Product Security