DTLS-over-UDP client example

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

DTLS-over-UDP client example

aleksandr.derevianko
Hello !

I'm completely new to openssl, but really need to implement simple application which will use DTLS over UDP.

Unfortunelly, it seems that all examples which I can find, correctly implement DTLS server, but not implement DTLS client side.

For example, this one:

https://github.com/nplab/DTLS-Examples/blob/master/src/dtls_udp_echo.c

implement both client and server, but all connection from client to server have no encoding:
SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) returns "NULL-SHA256";
It's because client side sets SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");

If I try to connect to the dtls_udp_echo application in server mode using openssl s_client, it connects successfully and with encoding enabled ("AES256-SHA").

If I change client side SSL_CTX_set_cipher_list to "ALL", or "AES256:SHA" - SSL_connect() on client hangs forever.

I think, the reason is that server side require cookie exchange, and clients side doesn't implement it.
At least, if I connect using openssl s_client, on server side both verify_cookie and generate_cookie was called.
If I use example client, only generate_cookie was called.
Client just hangs forever, sending packets to server every few seconds until timeout expired (~8 minutes) and return

    SSL_connect: Resource temporarily unavailable
    error:1413C138:SSL routines:dtls1_check_timeout_num:read timeout expired


It seems for me that for DTLS connection, SSL_connect() doesn't implement cookies exchange.

I tryed to dig inside openssl s_client source code, but it's really too complex for me, it seems like s_client doesn't use
SSL_connect, instead, using more low-level functions.


So, does anybody have any simple client-side implementation of DTLS over UDP connection?


-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS-over-UDP client example

Richard Weinberger-3
On Thu, Sep 13, 2018 at 3:51 PM <[hidden email]> wrote:
> I tryed to dig inside openssl s_client source code, but it's really too complex for me, it seems like s_client doesn't use
> SSL_connect, instead, using more low-level functions.
>
>
> So, does anybody have any simple client-side implementation of DTLS over UDP connection?

https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
... is a good example.

In case you are on 1.1.x, please also see:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008498.html

OpenSSL badly regressed in 1.1.x wrt. DTLS.

--
Thanks,
//richard
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS-over-UDP client example

aleksandr.derevianko
Hello !

17.09.2018, 16:26, "Richard Weinberger" <[hidden email]>:
> On Thu, Sep 13, 2018 at 3:51 PM <[hidden email]> wrote:
>>  I tryed to dig inside openssl s_client source code, but it's really too complex for me, it seems like s_client doesn't use
>>  SSL_connect, instead, using more low-level functions.
>>
>>  So, does anybody have any simple client-side implementation of DTLS over UDP connection?
>
> https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
> ... is a good example.

Unfortunelly, it's exactly this example which I use. You have pointed on slightly different version,
but all difference is:

        SSL_CTX_set_cookie_verify_cb(ctx, &verify_cookie);
instead of
        SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);

        ctx = SSL_CTX_new(DTLS_client_method());
instead of
    ctx = SSL_CTX_new(DTLSv1_client_method());


I have tryed it, works exactly the same.

In both versions, on client side cipher_list is:
        SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");

With such list it works, but without encoding (data send in cleartext, connection established as  Cipher: NULL-SHA)

and if I remove eNULL on client side, it doesn't connect - server wait repeat of client cookue forever.

At the same time,  "openssl s_client -dtls1   ..." connects fine, with Cipher: AES256-SHA

>
> In case you are on 1.1.x, please also see:
> https://mta.openssl.org/pipermail/openssl-users/2018-August/008498.html
>
> OpenSSL badly regressed in 1.1.x wrt. DTLS.
>

Actually, I use openssl-1.0.2o_2,1
Also, this "regression" is for multy-threaded server, not for single-threaded client.


-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS-over-UDP client example

Richard Weinberger-3
On Tue, Sep 18, 2018 at 9:18 AM <[hidden email]>
wrote:> Unfortunelly, it's exactly this example which I use. You have
pointed on slightly different version,

> but all difference is:
>
>         SSL_CTX_set_cookie_verify_cb(ctx, &verify_cookie);
> instead of
>         SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
>
>         ctx = SSL_CTX_new(DTLS_client_method());
> instead of
>     ctx = SSL_CTX_new(DTLSv1_client_method());
>
>
> I have tryed it, works exactly the same.
>
> In both versions, on client side cipher_list is:
>         SSL_CTX_set_cipher_list(ctx, "eNULL:!MD5");
>
> With such list it works, but without encoding (data send in cleartext, connection established as  Cipher: NULL-SHA)
>
> and if I remove eNULL on client side, it doesn't connect - server wait repeat of client cookue forever.
>
> At the same time,  "openssl s_client -dtls1   ..." connects fine, with Cipher: AES256-SHA

Then debug why the server is ignoring the client request.
OpenSSL has good debug output, in worst case add new prints...

--
Thanks,
//richard
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS-over-UDP client example

aleksandr.derevianko
Hello !

>>
>>  With such list it works, but without encoding (data send in cleartext, connection established as Cipher: NULL-SHA)
>>
>>  and if I remove eNULL on client side, it doesn't connect - server wait repeat of client cookue forever.
>>
>>  At the same time, "openssl s_client -dtls1 ..." connects fine, with Cipher: AES256-SHA
>
> Then debug why the server is ignoring the client request.
> OpenSSL has good debug output, in worst case add new prints...
>

Actually, I have traced it to ClientHello cookie exchange: test client connects to server, server calls generate_cookie() and never calls verify_cookie().

If I connect to test server using openssl s_client - server calls both generate_cookie() and verify_cookie(), and connection establishes.

If I return eNULL back in client ciphers list, server do not call  generate_cookie(), and connection went OK.

If I comment out SSL_CTX_set_cookie_generate_cb() on server side, it still doesn't connect using test client but still connectes using openssl s_client.

-- 
Александр Деревянко/Aleksander Derevianko
Нач. отдела новых аппаратно-программных средств
Бомбардье Транспортейшн (Сигнал)/Bombardier Transportation (Signal) Ltd.
T:   +74959255370 Доб. 265
M: +79859229755

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users