On 01/06/15 11:39, Matt Caswell wrote: > > > On 01/06/15 10:08, Alfred E. Heggestad wrote: >> Hi, >> >> we are using OpenSSL to deploy DTLS-SRTP, Ref: >> >> http://www.creytiv.com/doxygen/re-dox/html/tls__udp_8c.html >> >> >> it works really well, thanks for the good code. >> one scenario that does not work so well, is when DTLS >> is running in an environment with packet loss. >> for example, we get this error message: >> >> 140735307322128:error:1411B09F:SSL >> routines:ssl3_get_new_session_ticket:length mismatch:s3_clnt.c:2183: >> >> >> any hints of where I should start looking ? > > Can you confirm which version of OpenSSL you are running? > Hey Matt, openssl version 1.0.2a on both sides (Client and Server) > Are you also running OpenSSL on the server side (and if so which version > there)? > > The error message suggests that the NewSessionTicket message that has > been received by the client is incorrectly formatted. > > A packet capture for a problem handshake might help diagnose the problem > further. > please see the attached PCAP file, in this case Packet #4 is dropped internally in the software (to simulate Packet-loss). that test-code has the following option set, to avoid fragmentation: SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU); DTLS_set_link_mtu(tc->ssl, 1480); please note that dropping Packet #1, #2 and #3 works as expected. but dropping the final packet (packet #4) does not work. /alfred > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl_dtls_packet4_lost.pcap Type: application/octet-stream Size: 4636 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150601/39dcf8b7/attachment.obj>
