Hi, we are using OpenSSL in our product, mainly the DTLS-SRTP part to exchange keys for SRTP using DTLS. Our network environment is rather hostile, with highly variable bandwidth, some packet loss and some connections with slightly high RTT. the current DTLS stack in OpenSSL (v1.0.2) starts with a timeout value of 1 second, which is doubled for every retransmit. For us this is too high. I would like to reduce the initial value to around 500ms, and preferably make it run-time configurable. the patch below is a working patch, attached for the purpose of discussion. From 70a72c5102bab63373169615d3b26ded8399f227 Mon Sep 17 00:00:00 2001 From: "Alfred E. Heggestad" <alfred.heggestad@xxxxxxxx> Date: Fri, 6 May 2016 15:31:20 +0200 Subject: [PATCH] dtls: reduce initial timeout from 1.0 to 0.5 seconds --- ssl/d1_lib.c | 9 +++++++-- ssl/d1_pkt.c | 2 +- ssl/dtls1.h | 4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index ee78921..027d893 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -359,6 +359,8 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u) void dtls1_start_timer(SSL *s) { + struct timeval diff; + #ifndef OPENSSL_NO_SCTP /* Disable timer for SCTP */ if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { @@ -369,14 +371,17 @@ void dtls1_start_timer(SSL *s) /* If timer is not set, initialize duration with 1 second */ if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { - s->d1->timeout_duration = 1; + s->d1->timeout_duration = 0.5; } /* Set timeout to current time */ get_current_time(&(s->d1->next_timeout)); /* Add duration to current time */ - s->d1->next_timeout.tv_sec += s->d1->timeout_duration; + diff.tv_sec = 0; + diff.tv_usec = 1000000*s->d1->timeout_duration; + timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout); + BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); } diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index fe30ec7..3330fd6 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1502,7 +1502,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * will happen with non blocking IO */ if (s->s3->wbuf.left != 0) { - OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ + /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever get here */ return (ssl3_write_pending(s, type, buf, len)); } diff --git a/ssl/dtls1.h b/ssl/dtls1.h index 30bbcf2..077fee5 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -225,8 +225,8 @@ typedef struct dtls1_state_st { * Indicates when the last handshake msg or heartbeat sent will timeout */ struct timeval next_timeout; - /* Timeout duration */ - unsigned short timeout_duration; + /* Timeout duration in Seconds */ + double timeout_duration; /* * storage for Alert/Handshake protocol data received but not yet * processed by ssl3_read_bytes: -- 1.9.3 (Apple Git-50)