Hi Michael,
Please ignore the previous mail. By mistankely it got sent.
I have provided my comments below.
Thanks in advance.
Regards,
Nivedita
On Wed, Feb 14, 2018 at 10:22 AM, Nivedita <maddi.nivedita@xxxxxxxxx> wrote:
Hi Michael,Thanks for the reply.I have mentioned the answers below.
On Wed, Feb 14, 2018 at 12:21 AM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:From: Michael Richardson <mcr@xxxxxxxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: Re: DTLS over UDP
In-Reply-To: <CACS8YK320Z=E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ@xxxxxxx >ail.com
References: <CACS8YK320Z=E8wc7YBt6hC0jQ7i6kzLMECFyL0SO23AznnscrQ@xxxxxxx >ail.com
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0 ;<'$9xN5Ub#
z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5d C@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 13 Feb 2018 13:51:10 -0500
Message-ID: <10616.1518547870@obiwan.sandelman.ca >
--=-=-=
Content-Type: text/plain
Nivedita <maddi.nivedita@xxxxxxxxx> wrote:
> I am trying to establish DTLS over UDP connection by using
> DTLSv1_listen method .
> I have followed the below steps - 1. Created a server socket and using
> this socket created bio and ssl object. bio =
> BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio) ;
> 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,
> SSL_OP_COOKIE_EXCHANGE);
> 3. Then started listening using dtlsv1_listen for the new client
> connections. Once dtlsv1_listen is successful and i got the peer
> address.
okay.
Nivedita- Here the ssl object is created on the server socket and same ssl is passed to dtlsv1_listen method.
Nivedita- All the above mentioned steps i am doing on server side . On the client side i have already initiated ssl_connect.On the server side when i am listening using dtlsv1_listen method -
while ( VI_res= DTLSv1_listen(VP_ssl, &VS_client_addr) <= 0);
Now i got the client_addr from dtlsv1_listen method.
> 4. Once i got the client address , i am creating one new socket
> 5. With the new socket i tried to connect to client address.
Do you mean, you call "SSL_connect()"?
Or do you mean you bind(2) and connect(2) the socket.
Nivedita- Once i got the client address from dtlsv1_listen, i am creating one more socket , tried to connect the client address, which i have got in dtlsv1_listen method
Vi_res= connect(new sockid, client_addr, sizeof (client addr));
> 6. Then i am trying to do ssl_accept on the new socket by calling
> bio_set_fd.
> BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);
> BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
> &client_addr);
> SSL_set_fd(ssl,VI_newsock_id);
So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of
the existing BIO, I think you can omit that line.
Nivedita - I have removed SSL_set _fd and tried by doing BIO_set_fd and Bio_ctrl, but still ssl_accept always returns -1 and with error code of 2.
VI_res = BIO_set_fd(SSL_get_rbio(VP_ssl),VI_new_sock_id,BIO_NOCLOSE);
VI_res = BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr);
SSL_set_accept_state(VP_ssl);
VI_res = SSL_accept(ssl);
This ssl object is the same one which we have passed in dtlsv1_listen method. Actually i am trying to do the ssl_accept on the different socket for every client, even though
dtlsv1_listen happens on server socket. Could you please let me know if it is possible.
> VI_res = SSL_accept(ssl);
> But ssl_accept will always return error code 2 [ i.e want read or want
> write]
> But if i am doing ssl_accept without doing the step no 6 it it will be
> successful.
Yes.
> Could someone please let us know how to switch to newly created socket,
> so that it can start using newly created socket for further read and
> write operations and original server socket will keep on listening for
> new connections.
Do you expect additional connections on the existing socket?
I've been working on some new API to make this all easier.
Nivedita - Yes, we have multiple peers which try to connect to same server,so in that case i need different sockets for listening operations and one for read/write operations [one for client]
Your method may fail if you have bound your "listen" to :: (0.0.0.0),
and you have multiple IPs. In my case, I expect connections over IPv6 LL
addresses, and there are always multiple of those, and ifindex issues as well.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlqDM54ACgkQgItw +93Q
3WW8Lgf7BwdHZbo22nUphMoVOgBek6qciLPJsa7ggwx6y/pP6kvQX/3bMn4f Cx8t
1H/LaTX2xgw8Incz/8RL4kkhfziDYUQJ5oe4cd4b4KIQuTLRLVELFw5RbNX4 hmvx
tGd+KK2LMshcw/0+d/pAVtJpUdriHxKtMa3OQ7Tc+Lnqm338FRIhhqxi9/7I ljW+
KA+vYcsCcLIpnlHfB5JfKR0N9S2ga7cUPCi4u/PRAZqTXuet4IPqxJLDVuNw CH8/
sbh/yYhFGSPOQG/c0ZaE1TDkcwYeE/lpcofkRdi+FNgBlUtZd9XGag5BW/lA 3Rd7
IOCLfEDZENxWk2ki+PhDFwam5QO/Vw==
=v5TB
-----END PGP SIGNATURE-----
--=-=-=--
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
