Great, thanks for this very clear description, I passed it along to the Licode developers, and hopefully we can put this sucker to rest. I also included your recommendation to upgrade, which is something I?ve been bugging them to do for awhile :) On Sun, Sep 18, 2016 at 1:37 AM, Matt Caswell <matt at openssl.org> wrote: > > > On 18/09/16 01:01, Chad Phillips wrote: > > On Sat, Sep 17, 2016 at 3:43 PM, Matt Caswell <matt at openssl.org > > <mailto:matt at openssl.org>> wrote: > > > > There is an OpenSSL API which is intended to resolve this issue: > > > > DTLSv1_handle_timeout() > > > > The application is expected to call this periodically during the > > handshake if no other data has been sent or received. The causes > > OpenSSL to check its timer and do any retransmits if necessary. If > > licode doesn?t call this, then its plausible that this is the cause > > of the issue. > > > > > > ?grep -r DTLSv1_handle_timeout .? in the Licode source directory returns > > nothing, so we may have our culprit! > > > > Curious what versions of openssl support the DTLSv1_handle_timeout() > > approach? I know the Licode guys run 1.0.1g, it would be great if a > > single solution could be committed that was backwards compatible. > > Yes, DTLSv1_handle_timeout() is available in 1.0.1 as well. BTW there > have been many DTLS bug and security fixes since 1.0.1g which is now > quite old. The 1.0.1 series is now only receiving security fixes, and > will go out of support completely at the end of the year. It is strongly > recommended that they upgrade to a more recent version. > > > > > > Is there anything special I should know about how to use > > DTLSv1_handle_timeout()? Just have it run on a timer until the handshake > > completes? I guess I?m asking for some pre-documentation ;) > > Well the best way to use it is going to depend a lot on how the > application is written. The API is fairly simple - just call > DTLSv1_handle_timeout() periodically passing in the pointer to the SSL > object. In our own s_server/s_client we just call it every time we go > around the "select" loop on the socket. We ensure that the "select" call > doesn't block indefinitely, but instead times out after the DTLS timer > period has expired. We then call DTLSv1_handle_timeout() regardless of > whether "select" has returned because the socket is readable, or because > it has timed out. A (slightly modified and simplified) version of what > we do in s_server is below: > > FD_ZERO(&readfds); > FD_SET(s, &readfds); > > if (DTLSv1_get_timeout(con, &timeout)) > timeoutp = &timeout; > else > timeoutp = NULL; > > i = select(width, (void *)&readfds, NULL, NULL, timeoutp); > > if (DTLSv1_handle_timeout(con) > 0) { > BIO_printf(bio_err, "TIMEOUT occurred\n"); > } > > if (i <= 0) > continue; > > if (FD_ISSET(s, &readfds)) > read_from_sslcon = 1; > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160918/7fc3bdc9/attachment-0001.html>
