On 18/09/16 01:01, Chad Phillips wrote: > On Sat, Sep 17, 2016 at 3:43 PM, Matt Caswell <matt at openssl.org > <mailto:matt at openssl.org>> wrote: > > There is an OpenSSL API which is intended to resolve this issue: > > DTLSv1_handle_timeout() > > The application is expected to call this periodically during the > handshake if no other data has been sent or received. The causes > OpenSSL to check its timer and do any retransmits if necessary. If > licode doesn?t call this, then its plausible that this is the cause > of the issue. > > > ?grep -r DTLSv1_handle_timeout .? in the Licode source directory returns > nothing, so we may have our culprit! > > Curious what versions of openssl support the DTLSv1_handle_timeout() > approach? I know the Licode guys run 1.0.1g, it would be great if a > single solution could be committed that was backwards compatible. Yes, DTLSv1_handle_timeout() is available in 1.0.1 as well. BTW there have been many DTLS bug and security fixes since 1.0.1g which is now quite old. The 1.0.1 series is now only receiving security fixes, and will go out of support completely at the end of the year. It is strongly recommended that they upgrade to a more recent version. > > Is there anything special I should know about how to use > DTLSv1_handle_timeout()? Just have it run on a timer until the handshake > completes? I guess I?m asking for some pre-documentation ;) Well the best way to use it is going to depend a lot on how the application is written. The API is fairly simple - just call DTLSv1_handle_timeout() periodically passing in the pointer to the SSL object. In our own s_server/s_client we just call it every time we go around the "select" loop on the socket. We ensure that the "select" call doesn't block indefinitely, but instead times out after the DTLS timer period has expired. We then call DTLSv1_handle_timeout() regardless of whether "select" has returned because the socket is readable, or because it has timed out. A (slightly modified and simplified) version of what we do in s_server is below: FD_ZERO(&readfds); FD_SET(s, &readfds); if (DTLSv1_get_timeout(con, &timeout)) timeoutp = &timeout; else timeoutp = NULL; i = select(width, (void *)&readfds, NULL, NULL, timeoutp); if (DTLSv1_handle_timeout(con) > 0) { BIO_printf(bio_err, "TIMEOUT occurred\n"); } if (i <= 0) continue; if (FD_ISSET(s, &readfds)) read_from_sslcon = 1; Matt
