How to determine if a ssl object is using a DTLS method?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to determine if a ssl object is using a DTLS method?

John Lane Schultz
Hi all,

I wrote generic wrappers for handling both TLS + DTLS accept and connect logic in a non-blocking manner.

My problem is that with DTLS (but not TLS) ssl objects I need to set my own timers for implementing reliability of msgs by calling, for example, DTLSv1_get_timeout and DTLSv1_handle_timeout.  (TCP handles this for TLS automatically)

Therefore, I need to check if the ssl on which I’m operating is a DTLS or a TLS ssl object.  Is there an easy and good way to do this?

I can do a brute force method of calling SSL_get_ssl_method and then checking it against all the methods I know (e.g. - DTLSv1_method(), DTLSv1_client_method(), DTLSv1_server_method, etc.) but that seems ugly and fragile, especially as more methods are added in the future.

Can anyone suggest a better way to figure out if I need to do special DTLS handling on a ssl object or not?

Cheers!

-----
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to determine if a ssl object is using a DTLS method?

Scott Neugroschl-2
Use getsockopt(SO_TYPE) on the underlying socket?



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Lane Schultz
Sent: Monday, November 24, 2014 1:05 PM
To: [hidden email]
Subject: How to determine if a ssl object is using a DTLS method?

Hi all,

I wrote generic wrappers for handling both TLS + DTLS accept and connect logic in a non-blocking manner.

My problem is that with DTLS (but not TLS) ssl objects I need to set my own timers for implementing reliability of msgs by calling, for example, DTLSv1_get_timeout and DTLSv1_handle_timeout.  (TCP handles this for TLS automatically)

Therefore, I need to check if the ssl on which I’m operating is a DTLS or a TLS ssl object.  Is there an easy and good way to do this?

I can do a brute force method of calling SSL_get_ssl_method and then checking it against all the methods I know (e.g. - DTLSv1_method(), DTLSv1_client_method(), DTLSv1_server_method, etc.) but that seems ugly and fragile, especially as more methods are added in the future.

Can anyone suggest a better way to figure out if I need to do special DTLS handling on a ssl object or not?

Cheers!

-----
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
:��I"Ϯ��r�m���� (���Z+�K�+����1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���
Reply | Threaded
Open this post in threaded view
|

Re: How to determine if a ssl object is using a DTLS method?

John Lane Schultz
Thanks! That will work.

A system call is pretty heavy weight though, is there a cheaper OpenSSL way of determining the same?

Cheers!

-----
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

On Nov 24, 2014, at 4:23 PM, Scott Neugroschl <[hidden email]> wrote:

Use getsockopt(SO_TYPE) on the underlying socket?



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of John Lane Schultz
Sent: Monday, November 24, 2014 1:05 PM
To: [hidden email]
Subject: How to determine if a ssl object is using a DTLS method?

Hi all,

I wrote generic wrappers for handling both TLS + DTLS accept and connect logic in a non-blocking manner.

My problem is that with DTLS (but not TLS) ssl objects I need to set my own timers for implementing reliability of msgs by calling, for example, DTLSv1_get_timeout and DTLSv1_handle_timeout.  (TCP handles this for TLS automatically)

Therefore, I need to check if the ssl on which I’m operating is a DTLS or a TLS ssl object.  Is there an easy and good way to do this?

I can do a brute force method of calling SSL_get_ssl_method and then checking it against all the methods I know (e.g. - DTLSv1_method(), DTLSv1_client_method(), DTLSv1_server_method, etc.) but that seems ugly and fragile, especially as more methods are added in the future.

Can anyone suggest a better way to figure out if I need to do special DTLS handling on a ssl object or not?

Cheers!

-----
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
:—§I"ÏŪˆÞrØmķŸĸà (ĨéėēZ+K­+ĐĶŠí1ĻĨŠx ŠËhĨéėē[Žzŧ(ĨéėēZ+€ ­Ēf­yŌâēӝĻŪfĢĒ·hšŠ)z{,–Šā

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to determine if a ssl object is using a DTLS method?

Dr. Stephen Henson
On Mon, Nov 24, 2014, John Lane Schultz wrote:

> Thanks! That will work.
>
> A system call is pretty heavy weight though, is there a cheaper OpenSSL way of determining the same?
>

Well getting the version number is one way but you have to check more than one
version if it can use the broken version number of for OpenSSL 1.0.2
(it supports DTLS 1.2 as well).

A similar way to that already suggested is to check the type of BIO used. If
it is a datagram BIO it's DTLS, if socket TLS but that avoids any system
calls.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to determine if a ssl object is using a DTLS method?

John Lane Schultz
Thank you, that worked just fine:

int is_dtls(SSL *ssl)
{
        return NULL != BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DGRAM);
}

Cheers!

-----
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

On Nov 24, 2014, at 8:04 PM, Dr. Stephen Henson <[hidden email]> wrote:

On Mon, Nov 24, 2014, John Lane Schultz wrote:

> Thanks! That will work.
>
> A system call is pretty heavy weight though, is there a cheaper OpenSSL way of determining the same?
>

Well getting the version number is one way but you have to check more than one
version if it can use the broken version number of for OpenSSL 1.0.2
(it supports DTLS 1.2 as well).

A similar way to that already suggested is to check the type of BIO used. If
it is a datagram BIO it's DTLS, if socket TLS but that avoids any system
calls.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]