DTLS over UDP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DTLS over UDP

Nivedita
Hi All,

I am trying to establish  DTLS over UDP connection  by using DTLSv1_listen method .

I have followed the below steps -
1. Created  a server  socket  and using this socket created bio and ssl object.
      bio = BIO_new_dgram(VI_sock,BIO_NOCLOSE)) 
      SSL_set_bio(ssl,VP_bio,VP_bio);
 
2. Enable cookie exchange on SSL object.
     SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);

3. Then started listening using dtlsv1_listen  for the new client connections. Once dtlsv1_listen is successful and i got the peer address.

4. Once i got the peer address , i am creating one more socket 

5. With the new socket i tried to connect to peer address.

6. Then i am trying to do ssl_accept on the new socket by calling bio_set_fd.

 BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);
 BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr);    
 SSL_set_fd(ssl,VI_newsock_id);

  VI_res = SSL_accept(ssl);

But ssl_accept will always return error code 2 [ i.e want read or want write] 

But if i am doing ssl_accept without doing the step no 6 it it will be successful.

Could someone please let us know how to switch to newly created socket, so that it can start using newly created socket for further read and write operations and original server socket  will keep on listening for new connections.
   

Regards,
Nivedita


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS over UDP

Michael Richardson

Nivedita <[hidden email]> wrote:
    > I am trying to establish DTLS over UDP connection by using
    > DTLSv1_listen method .

    > I have followed the below steps - 1. Created a server socket and using
    > this socket created bio and ssl object.  bio =
    > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);

    > 2. Enable cookie exchange on SSL object.  SSL_set_options(ssl,
    > SSL_OP_COOKIE_EXCHANGE);

    > 3. Then started listening using dtlsv1_listen for the new client
    > connections.  Once dtlsv1_listen is successful and i got the peer
    > address.

okay.

    > 4. Once i got the peer address , i am creating one more socket
    > 5. With the new socket i tried to connect to peer address.

Do you mean, you call "SSL_connect()"?
Or do you mean you bind(2) and connect(2) the socket.

    > 6. Then i am trying to do ssl_accept on the new socket by calling
    > bio_set_fd.

    > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

    > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
    > &client_addr);

    > SSL_set_fd(ssl,VI_newsock_id);

So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
of calling BIO_CRTL_DGRAM_SET_CONNECTED.  Since you have set the fd of
the existing BIO, I think you can omit that line.


    > VI_res = SSL_accept(ssl);

    > But ssl_accept will always return error code 2 [ i.e want read or want
    > write]

    > But if i am doing ssl_accept without doing the step no 6 it it will be
    > successful.

Yes.

    > Could someone please let us know how to switch to newly created socket,
    > so that it can start using newly created socket for further read and
    > write operations and original server socket will keep on listening for
    > new connections.

Do you expect additional connections on the existing socket?
I've been working on some new API to make this all easier.

Your method may fail if you have bound your "listen" to :: (0.0.0.0),
and you have multiple IPs.  In my case, I expect connections over IPv6 LL
addresses, and there are always multiple of those, and ifindex issues as well.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Fwd: DTLS over UDP

Nivedita

Hi Michael,
  
   Please ignore the previous mail. By mistankely it got sent.
 I have provided my comments  below.

Thanks in advance.
Regards,
Nivedita

On Wed, Feb 14, 2018 at 10:22 AM, Nivedita <[hidden email]> wrote:
Hi Michael,

Thanks for the reply.

I have mentioned the answers below. 

     

On Wed, Feb 14, 2018 at 12:21 AM, Michael Richardson <[hidden email]> wrote:
From: Michael Richardson <[hidden email]>
To: [hidden email]
Subject: Re: [openssl-users] DTLS over UDP
In-Reply-To: <CACS8YK320Z=[hidden email]>
References: <CACS8YK320Z=[hidden email]>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub#
 z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
        micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 13 Feb 2018 13:51:10 -0500
Message-ID: <[hidden email]>

--=-=-=
Content-Type: text/plain


Nivedita <[hidden email]> wrote:
    > I am trying to establish DTLS over UDP connection by using
    > DTLSv1_listen method .

    > I have followed the below steps - 1. Created a server socket and using
    > this socket created bio and ssl object.  bio =
    > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);

    > 2. Enable cookie exchange on SSL object.  SSL_set_options(ssl,
    > SSL_OP_COOKIE_EXCHANGE);

    > 3. Then started listening using dtlsv1_listen for the new client
    > connections.  Once dtlsv1_listen is successful and i got the peer
    > address.

okay.
       Nivedita- Here the ssl object is created on the server socket  and same ssl is passed to dtlsv1_listen method. 

   Nivedita-  All the above mentioned steps i am doing on server side . On the client side i have already initiated ssl_connect. 
                  On the server side when i am listening using dtlsv1_listen method  -
                        
                  while ( VI_res= DTLSv1_listen(VP_ssl, &VS_client_addr) <= 0);
               Now i got the client_addr from dtlsv1_listen method. 
  
    > 4. Once i got the client address , i am creating one new socket
    > 5. With the new socket i tried to connect to client address.

Do you mean, you call "SSL_connect()"?
Or do you mean you bind(2) and connect(2) the socket.

          Nivedita- Once i got the client address from dtlsv1_listen, i am creating one more socket , tried to connect the client address, which i have got in dtlsv1_listen method

               Vi_res=  connect(new sockid, client_addr, sizeof (client addr));
              

    > 6. Then i am trying to do ssl_accept on the new socket by calling
    > bio_set_fd.

    > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

    > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
    > &client_addr);

    > SSL_set_fd(ssl,VI_newsock_id);

So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
of calling BIO_CRTL_DGRAM_SET_CONNECTED.  Since you have set the fd of
the existing BIO, I think you can omit that line.

        Nivedita - I have removed SSL_set _fd and tried by doing BIO_set_fd and Bio_ctrl, but still ssl_accept always returns -1 and with error code of 2.

                         VI_res = BIO_set_fd(SSL_get_rbio(VP_ssl),VI_new_sock_id,BIO_NOCLOSE);
                         VI_res = BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr);    
          
                         SSL_set_accept_state(VP_ssl);         
                        VI_res = SSL_accept(ssl);

       This ssl object is the same one which we have passed in dtlsv1_listen method. Actually i am trying to do the ssl_accept on the different socket for every client, even though 
      dtlsv1_listen happens on server socket. Could you please let me know if it is possible.

 
    > VI_res = SSL_accept(ssl);

    > But ssl_accept will always return error code 2 [ i.e want read or want
    > write]

    > But if i am doing ssl_accept without doing the step no 6 it it will be
    > successful.

Yes.

    > Could someone please let us know how to switch to newly created socket,
    > so that it can start using newly created socket for further read and
    > write operations and original server socket will keep on listening for
    > new connections.

Do you expect additional connections on the existing socket?
I've been working on some new API to make this all easier.

       Nivedita - Yes, we have multiple peers which try to connect to same server,so in that case i need different sockets for listening operations and one for read/write operations [one for client]

Your method may fail if you have bound your "listen" to :: (0.0.0.0),
and you have multiple IPs.  In my case, I expect connections over IPv6 LL
addresses, and there are always multiple of those, and ifindex issues as well.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlqDM54ACgkQgItw+93Q
3WW8Lgf7BwdHZbo22nUphMoVOgBek6qciLPJsa7ggwx6y/pP6kvQX/3bMn4fCx8t
1H/LaTX2xgw8Incz/8RL4kkhfziDYUQJ5oe4cd4b4KIQuTLRLVELFw5RbNX4hmvx
tGd+KK2LMshcw/0+d/pAVtJpUdriHxKtMa3OQ7Tc+Lnqm338FRIhhqxi9/7IljW+
KA+vYcsCcLIpnlHfB5JfKR0N9S2ga7cUPCi4u/PRAZqTXuet4IPqxJLDVuNwCH8/
sbh/yYhFGSPOQG/c0ZaE1TDkcwYeE/lpcofkRdi+FNgBlUtZd9XGag5BW/lA3Rd7
IOCLfEDZENxWk2ki+PhDFwam5QO/Vw==
=v5TB
-----END PGP SIGNATURE-----
--=-=-=--





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: DTLS over UDP

Nivedita
In reply to this post by Michael Richardson
Hi Michael,

Please find the response inline.

Regards,
Nivedita

On Wed, Feb 14, 2018 at 10:55 PM, Michael Richardson <[hidden email]> wrote:

Nivedita <[hidden email]> wrote:
    > Hi Michael,

    > Thanks for the reply.

    > I have mentioned the answers below.

>okay. I saw only one comment.  Maybe you could use standard usenet quoting?
>Tell me a bit more about what you are working on?
>I'm trying to make CoAP+DTLS work with the ruby-on-rails "David" CoAP server.
 
 Nivedita - We  are using c and Socket programming to establish dtls over udp for sip communication.
 
    > Nivedita <[hidden email]> wrote:
    >> I am trying to establish DTLS over UDP connection by using
    >> DTLSv1_listen method .

    >> I have followed the below steps - 1. Created a server socket and using
    >> this socket created bio and ssl object. bio =
    >> BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);

    >> 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,
    >> SSL_OP_COOKIE_EXCHANGE);

    >> 3. Then started listening using dtlsv1_listen for the new client
    >> connections. Once dtlsv1_listen is successful and i got the peer
    >> address.

    mcr> okay.


    > Nivedita- All the above mentioned steps i am doing on server side . On the
    > client side i have already initiated ssl_connect.
    > On the server side when i am listening using dtlsv1_listen method -

    >> 4. Once i got the peer address , i am creating one more socket
    >> 5. With the new socket i tried to connect to peer address.

 >  mcr> Do you mean, you call "SSL_connect()"?
 >  mcr> Or do you mean you bind(2) and connect(2) the socket.
    >You didn't answer this.
    >You imply you might have tried "SSL_connect()" on the server side.  
     
  Nivedita - SSL_connect is already issued on client side , because of which it triggered the server and dtlsv1_listen was successful and i got the peer address from dtlsv1_listen.
               Then once i  got the client address from the dtlsv1_listen method, i am creating one more socket  and trying to connect to this client  address.
         
                Vi_res=  connect(new sockid, client_addr, sizeof (client addr));
           I am able to connect to client address which i got in dtlsv1_listen method using new socket id.  and i want to do the ssl_accept on the new socket id  by issuing bio_set_fd and bio_ctrl.
          But ssl_accept fails with error code 2.
              
                BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

     BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr)
            ssl_accept (VP_ssl)
     I would like to mention that VP_ssl is created using server socket id, but we are trying to do ssl_accept on newly created socket id  which is connected to peer address[got from dtlsv1_listen method) , so that we can use this socket for further read-write operations and server socket for listening operations.


    >> 6. Then i am trying to do ssl_accept on the new socket by calling
    >> bio_set_fd.

    >> BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);

    >> BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
    >> &client_addr);

    >> SSL_set_fd(ssl,VI_newsock_id);

    mcr> So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
    mcr> of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of
    mcr> the existing BIO, I think you can omit that line.

Please omit the SSL_set_fd(), since you've already done it.

I have a pull request at:
    https://github.com/openssl/openssl/pull/5024

which I am reworking to suit the OpenSSL team.
I am solving the same problem that you have encountered.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users