Hi All,
Below is our scenario on DTLS.
We have multiple connections to the same server. We have mapped one fd to the ssl in the server to receive all connections.
Whenever a connect is initiated from any client we need to know if it is already connected client or a new client. We are doing this by
- creating bio/ssl each time a polling happens on the server fd
- fetching the peer using BIO_dgram_get_peer after ssl_accept
- Comparing it to the internally maintained list of peer
- If it is a new peer we continue with handshake but if it is old peer we do the ssl_read.
The problem is that there are 2 bio/ssl that gets created for the same fd(when there are 2 clients) and the peer end up writing to latest of them and we don't get the message on the intended ssl.
Hence we are checking for a way to detach and remove the ssl/bio that gets created in already connected cases.
Any help is appreciated.
Any APIs available to close up the 2nd ssl associated with the fd. ssl_clear and ssl_free does not work.
Thanks,
Grace
On Thu, Jan 11, 2018 at 6:30 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:
--
Grace Priscilla Jero <grace.priscilla@xxxxxxxxx> wrote:
> We are having a scenario wherein we are having 2 BIOs for DTLS
> attached to the same fd. Each BIO has a different SSL associated with
> it. The messages are getting written to different BIO each time and we
> are trying to resolve it.
> Is there a API or any way to detach one of the BIO/SSL from the fd for
> DTLS?
No. How did you get into that situation in the first place?
My belief is that the DTLS API is suitable for (Secure)RTP only, and not for
CoAP-type usage. (or other DTLS server end-point usage)
According to some source code comments, you should have called connect() on
the socket after the first connection was received, and then (or
previously... there are race conditions either way), opened a new
socket.
I ran into this, and I wound up creating a new API, which is in a pull
request:
https://github.com/openssl/openssl/pull/5024
https://github.com/mcr/openssl/tree/dtls-listen-refactor
Sadly, the new test case I wrote is not running consistently, which I'm still
debugging.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users