Multi client DTLS server on OpenSSL 1.1.x broken?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Multi client DTLS server on OpenSSL 1.1.x broken?

Richard Weinberger
Hi!

I have a hard time figuring how to write a DTLS UDP server that supports multiple
clients. My dummy single user server works fine.

To support multiple clients I tried two approaches:
1. singled threaded async IO, preferred since I have to deal with many clients
2. multi threaded, one thread per client

Both approaches seem to be doomed for the very same reason, namely that
DTLSv1_listen() does peek into the kernel queue and does not consume
the client hello from the UDP socket.

Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
socket for the client is created using bind/connect and the client address
as returned by DTLSv1_listen().

This client socket is then passed to a new thread or feed into the event loop.
In both cases the client hello is still in the queue of the server socket
and the program will over and over create new client sockets.

After searching the web for examples I've found this thread[0], where the approaches
I tried are advertised.
In [1] the demo server at [3] is suggested as good example.

dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
the same way.
As soon one client connects, it creates over and over new sockets until it dies due
to too many open files.

After digging a bit into the source it looks to me like since commit [3],
DTLSv1_listen() assumes that you re-use the same socket for the new client.
Which makes supporting multiple clients impossible.

Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
Can you please help me to figure what the correct approach for multiple clients is?

Thanks,
//richard

P.s: I'm on Linux, OpenSSL 1.1.0h, but tried as OpenSSL git as of today.

[0] https://mta.openssl.org/pipermail/openssl-users/2018-April/007861.html
[1] https://mta.openssl.org/pipermail/openssl-users/2018-April/007864.html
[2] https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
[3] https://github.com/openssl/openssl/commit/e3d0dae7cf8363ca462ac425b72c7bb31c3b4b7a
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Matt Caswell-2
Please could you raise this as a github issue? I'll try and take a look
at it (although it may be a while since my current focus is on the 1.1.1
release).

Matt

On 11/08/18 16:22, Richard Weinberger wrote:

> Hi!
>
> I have a hard time figuring how to write a DTLS UDP server that supports multiple
> clients. My dummy single user server works fine.
>
> To support multiple clients I tried two approaches:
> 1. singled threaded async IO, preferred since I have to deal with many clients
> 2. multi threaded, one thread per client
>
> Both approaches seem to be doomed for the very same reason, namely that
> DTLSv1_listen() does peek into the kernel queue and does not consume
> the client hello from the UDP socket.
>
> Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
> socket for the client is created using bind/connect and the client address
> as returned by DTLSv1_listen().
>
> This client socket is then passed to a new thread or feed into the event loop.
> In both cases the client hello is still in the queue of the server socket
> and the program will over and over create new client sockets.
>
> After searching the web for examples I've found this thread[0], where the approaches
> I tried are advertised.
> In [1] the demo server at [3] is suggested as good example.
>
> dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
> the same way.
> As soon one client connects, it creates over and over new sockets until it dies due
> to too many open files.
>
> After digging a bit into the source it looks to me like since commit [3],
> DTLSv1_listen() assumes that you re-use the same socket for the new client.
> Which makes supporting multiple clients impossible.
>
> Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
> Can you please help me to figure what the correct approach for multiple clients is?
>
> Thanks,
> //richard
>
> P.s: I'm on Linux, OpenSSL 1.1.0h, but tried as OpenSSL git as of today.
>
> [0] https://mta.openssl.org/pipermail/openssl-users/2018-April/007861.html
> [1] https://mta.openssl.org/pipermail/openssl-users/2018-April/007864.html
> [2] https://web.archive.org/web/20150806185102/http://sctp.fh-muenster.de:80/dtls/dtls_udp_echo.c
> [3] https://github.com/openssl/openssl/commit/e3d0dae7cf8363ca462ac425b72c7bb31c3b4b7a
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Philip Prindeville
In reply to this post by Richard Weinberger


> On Aug 11, 2018, at 9:22 AM, Richard Weinberger <[hidden email]> wrote:
>
> Hi!
>
> I have a hard time figuring how to write a DTLS UDP server that supports multiple
> clients. My dummy single user server works fine.
>
> To support multiple clients I tried two approaches:
> 1. singled threaded async IO, preferred since I have to deal with many clients
> 2. multi threaded, one thread per client
>
> Both approaches seem to be doomed for the very same reason, namely that
> DTLSv1_listen() does peek into the kernel queue and does not consume
> the client hello from the UDP socket.
>
> Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
> socket for the client is created using bind/connect and the client address
> as returned by DTLSv1_listen().
>
> This client socket is then passed to a new thread or feed into the event loop.
> In both cases the client hello is still in the queue of the server socket
> and the program will over and over create new client sockets.
>
> After searching the web for examples I've found this thread[0], where the approaches
> I tried are advertised.
> In [1] the demo server at [3] is suggested as good example.
>
> dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
> the same way.
> As soon one client connects, it creates over and over new sockets until it dies due
> to too many open files.
>
> After digging a bit into the source it looks to me like since commit [3],
> DTLSv1_listen() assumes that you re-use the same socket for the new client.
> Which makes supporting multiple clients impossible.
>
> Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
> Can you please help me to figure what the correct approach for multiple clients is?
>
> Thanks,
> //richard


Have you tried using Libevent?  It supports SSL/TLS/DTLS connections.

-Philip

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Richard Weinberger
Philip,

Am Mittwoch, 15. August 2018, 21:36:30 CEST schrieben Sie:

>
> > On Aug 11, 2018, at 9:22 AM, Richard Weinberger <richard at nod.at> wrote:
> >
> > Hi!
> >
> > I have a hard time figuring how to write a DTLS UDP server that supports multiple
> > clients. My dummy single user server works fine.
> >
> > To support multiple clients I tried two approaches:
> > 1. singled threaded async IO, preferred since I have to deal with many clients
> > 2. multi threaded, one thread per client
> >
> > Both approaches seem to be doomed for the very same reason, namely that
> > DTLSv1_listen() does peek into the kernel queue and does not consume
> > the client hello from the UDP socket.
> >
> > Both loop around DTLSv1_listen() and as soon the function returns > 0 a new
> > socket for the client is created using bind/connect and the client address
> > as returned by DTLSv1_listen().
> >
> > This client socket is then passed to a new thread or feed into the event loop.
> > In both cases the client hello is still in the queue of the server socket
> > and the program will over and over create new client sockets.
> >
> > After searching the web for examples I've found this thread[0], where the approaches
> > I tried are advertised.
> > In [1] the demo server at [3] is suggested as good example.
> >
> > dtls_udp_echo.c from [3] does exactly what I did in my 2nd approach, and it fails in
> > the same way.
> > As soon one client connects, it creates over and over new sockets until it dies due
> > to too many open files.
> >
> > After digging a bit into the source it looks to me like since commit [3],
> > DTLSv1_listen() assumes that you re-use the same socket for the new client.
> > Which makes supporting multiple clients impossible.
> >
> > Given that I'm not an OpenSSL DTLS expert I still hope I miss something.
> > Can you please help me to figure what the correct approach for multiple clients is?
> >
> > Thanks,
> > //richard
>
>
> Have you tried using Libevent?  It supports SSL/TLS/DTLS connections.

Can you please explain? I fear I miss something.

Libevent seems to be able to deal with OpenSSL BIO objects.
But how is it supposed to help me with the DTLSv1_listen() issue?

A quick grep on the Libevent sources does not show calls to DTLSv1_listen()
and I don't think that it is open coding it. At least I hope so.

The problem I see is not about event processing, it is about OpenSSL 1.1.x's
re-write of DTLSv1_listen().

Thanks,
//richard


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Philip Prindeville


> On Aug 15, 2018, at 2:09 PM, Richard Weinberger <[hidden email]> wrote:
>
> Philip,
>
> Am Mittwoch, 15. August 2018, 21:36:30 CEST schrieben Sie:
>>
>>> [snip]
>>
>>
>> Have you tried using Libevent?  It supports SSL/TLS/DTLS connections.
>
> Can you please explain? I fear I miss something.


Have a look at:

http://www.wangafu.net/~nickm/libevent-book/Ref6a_advanced_bufferevents.html

you don’t need a dedicated thread per connection.

See the section “Bufferevents and SSL”

You can create an SSL context and then bind a connection listener to it.

If the library doesn’t specifically handle the case of DTLS (I know it handles SSL and TLS), then it shouldn’t be too hard to cobble something together and even get it upstreamed.

-Philip


>
> Libevent seems to be able to deal with OpenSSL BIO objects.
> But how is it supposed to help me with the DTLSv1_listen() issue?
>
> A quick grep on the Libevent sources does not show calls to DTLSv1_listen()
> and I don't think that it is open coding it. At least I hope so.
>
> The problem I see is not about event processing, it is about OpenSSL 1.1.x's
> re-write of DTLSv1_listen().
>
> Thanks,
> //richard
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Richard Weinberger-3
Philip,

On Wed, Aug 15, 2018 at 11:36 PM Philip Prindeville
<[hidden email]> wrote:
> Have a look at:
>
> http://www.wangafu.net/~nickm/libevent-book/Ref6a_advanced_bufferevents.html
>
> you don’t need a dedicated thread per connection.

I know. I have already full blown single threaded event loop that
works fine with OpenSSL 1.0.x.

> See the section “Bufferevents and SSL”
>
> You can create an SSL context and then bind a connection listener to it.
>
> If the library doesn’t specifically handle the case of DTLS (I know it handles SSL and TLS), then it shouldn’t be too hard to cobble something together and even get it upstreamed.

Well, it still seems to miss the fact that DTLSv1_listen() regressed in 1.1.x.
I really don't see how layering libevent into my application should help here.

--
Thanks,
//richard
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Multi client DTLS server on OpenSSL 1.1.x broken?

Michael Richardson
In reply to this post by Philip Prindeville

Philip Prindeville <[hidden email]> wrote:
    > You can create an SSL context and then bind a connection listener to
    > it.

    > If the library doesn’t specifically handle the case of DTLS (I know it
    > handles SSL and TLS), then it shouldn’t be too hard to cobble something
    > together and even get it upstreamed.

Philip, DTLS is not just TLS over UDP.  There is more to it that that.

we are trying to do EXACTLY this, and we can't because the behaviour
of DTLSv1_listen() does not let a library do this.  And we can't open code
actually, because it (DTLSv1_listen) uses APIs internal to libssl.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment