Skip to content

Add support for DTLS fragmentation #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 18, 2025
Merged

Add support for DTLS fragmentation #49

merged 10 commits into from
Apr 18, 2025

Conversation

mickel8
Copy link
Member

@mickel8 mickel8 commented Apr 17, 2025
edited
Loading

Traditional BIO_s_mem ignores DTLS fragmentation. OpenSSL just appends subsequent datagrams to the BIO_s_mem's buffer, which results in losing packet boundaries. This was greatly pointed out by @spscream in #31 and described by Lorenzo in OpenSSL mailing list: https://mailing.openssl.users.narkive.com/L431ya4W/openssl-users-dtls-fragmentation-and-mem-bio (many thanks guys!)

Ignoring DTLS fragmentation may result in DTLS datagrams being dropped when MTU size is not large enough. The ServerHello message, in our setup, is ~1400 bytes. When using Orange as ISP, the MTU size seems to be ~1300 bytes so the ServerHello message is dropped.

Another scenario where our implementation fails is when we use 4096 bits certificate.

To mitigate this issue, we can:

OpenSSL 1.1 EOL was in September 2023. Ubuntu was providing security fixes in Ubuntu 20.04 until 04.2025 (not including pro subscribers, who are receiving security updates for 10 years). Newer versions, like 22.04, migrated to OpenSSL 3. Hence, we chose the first option (using BIO_s_dgram_mem). If we see anyone still using OpenSSL 1.1, we will consider providing backward compatible solution. Looks like ubuntu-latest with OTP 26 uses OpenSSL 1.1 (that's the config from our CI) so we go for custom filter.

The MTU is hardcoded to 1200.

Resources:

Fixes #31

@mickel8 mickel8 force-pushed the cert-fragmentation branch from 390e1a3 to cb2bbb3 Compare April 18, 2025 09:16
@mickel8 mickel8 force-pushed the cert-fragmentation branch from d940c59 to 27c1979 Compare April 18, 2025 10:33
@mickel8 mickel8 force-pushed the cert-fragmentation branch from 27c1979 to aa5a7e9 Compare April 18, 2025 10:36
@mickel8 mickel8 force-pushed the cert-fragmentation branch from 76d3395 to 2c9e31a Compare April 18, 2025 15:41
@mickel8 mickel8 enabled auto-merge (squash) April 18, 2025 16:39
@mickel8 mickel8 disabled auto-merge April 18, 2025 16:39
@mickel8 mickel8 merged commit 1549514 into master Apr 18, 2025
2 checks passed
@mickel8 mickel8 deleted the cert-fragmentation branch April 18, 2025 16:40
@mickel8 mickel8 mentioned this pull request Apr 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fragmented Server Hello
1 participant
@mickel8