On 06/05/16 14:41, Alfred E. Heggestad wrote:
> Hi,
>
>
> we are using OpenSSL in our product, mainly the DTLS-SRTP part to
> exchange keys for SRTP using DTLS. Our network environment is rather
> hostile, with highly variable bandwidth, some packet loss and some
> connections with slightly high RTT.
>
>
> the current DTLS stack in OpenSSL (v1.0.2) starts with a timeout
> value of 1 second, which is doubled for every retransmit. For us this
> is too high. I would like to reduce the initial value to around 500ms,
> and preferably make it run-time configurable.
>
>
>
> the patch below is a working patch, attached for the purpose of
> discussion.
>
So this patch just replaces one hard-coded value with another. The
previous default (presumably) works for others (at least I don't recall
this issue coming up before) - but isn't working for you. Wouldn't it be
better to keep the default as it is, but provide a mechanism for
changing it for those that want to?
BTW, this discussion is probably better placed on openssl-dev as it is
about development of OpenSSL itself.
Matt
>
>
>
> From 70a72c5102bab63373169615d3b26ded8399f227 Mon Sep 17 00:00:00 2001
> From: "Alfred E. Heggestad" <alfred.heggestad at wire.com>
> Date: Fri, 6 May 2016 15:31:20 +0200
> Subject: [PATCH] dtls: reduce initial timeout from 1.0 to 0.5 seconds
>
> ---
> ssl/d1_lib.c | 9 +++++++--
> ssl/d1_pkt.c | 2 +-
> ssl/dtls1.h | 4 ++--
> 3 files changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
> index ee78921..027d893 100644
> --- a/ssl/d1_lib.c
> +++ b/ssl/d1_lib.c
> @@ -359,6 +359,8 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
>
> void dtls1_start_timer(SSL *s)
> {
> + struct timeval diff;
> +
> #ifndef OPENSSL_NO_SCTP
> /* Disable timer for SCTP */
> if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
> @@ -369,14 +371,17 @@ void dtls1_start_timer(SSL *s)
>
> /* If timer is not set, initialize duration with 1 second */
> if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec
> == 0) {
> - s->d1->timeout_duration = 1;
> + s->d1->timeout_duration = 0.5;
> }
>
> /* Set timeout to current time */
> get_current_time(&(s->d1->next_timeout));
>
> /* Add duration to current time */
> - s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
> + diff.tv_sec = 0;
> + diff.tv_usec = 1000000*s->d1->timeout_duration;
> + timeradd(&s->d1->next_timeout, &diff, &s->d1->next_timeout);
> +
> BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
> &(s->d1->next_timeout));
> }
> diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
> index fe30ec7..3330fd6 100644
> --- a/ssl/d1_pkt.c
> +++ b/ssl/d1_pkt.c
> @@ -1502,7 +1502,7 @@ int do_dtls1_write(SSL *s, int type, const
> unsigned char *buf,
> * will happen with non blocking IO
> */
> if (s->s3->wbuf.left != 0) {
> - OPENSSL_assert(0); /* XDTLS: want to see if we ever get
> here */
> + /*OPENSSL_assert(0);*/ /* XDTLS: want to see if we ever
> get here */
> return (ssl3_write_pending(s, type, buf, len));
> }
>
> diff --git a/ssl/dtls1.h b/ssl/dtls1.h
> index 30bbcf2..077fee5 100644
> --- a/ssl/dtls1.h
> +++ b/ssl/dtls1.h
> @@ -225,8 +225,8 @@ typedef struct dtls1_state_st {
> * Indicates when the last handshake msg or heartbeat sent will
> timeout
> */
> struct timeval next_timeout;
> - /* Timeout duration */
> - unsigned short timeout_duration;
> + /* Timeout duration in Seconds */
> + double timeout_duration;
> /*
> * storage for Alert/Handshake protocol data received but not yet
> * processed by ssl3_read_bytes:
