[Patch] Fix blocking DTLS

Sean Buckheister s_buckhe at cs.uni-kl.de
Thu Feb 16 15:00:58 CET 2012


[Oh, elements ... Copy to list since I hit the wrong button. Again.]

> Nice fix, applied. Which case did you notice failing?

Lots. Just some examples:

SHello(210), SFinished(10), CFinished(210) :- SHello, SKeyExchange,
SHelloDone, CKeyExchange, CChangeCipherSpec, CFinished,
SChangeCipherSpec, SFinished

SHello(021), SFinished(10), CFinished(102) :- CKeyExchange,
CChangeCipherSpec, CFinished, SChangeCipherSpec, SFinished

SHello(120), SFinished(10), CFinished(120) :- SHelloDone, CFinished,
SChangeCipherSpec, SFinished

It feels like any case that has an incomplete final flight. It would
make sense, too, since the client would then retransmit it's final
flight, including the Finished packet, after which the server would
initiate rehandshake where none should have happened.

> Does it fix the parallel checks?

With 1000 children on my machine and timeouts at twice the defaults
(120s handshake timeout, 240s kill timeout), yes. More children need
higher timeouts to work, but they do work.

I'll add two-way certificate authentication and look how it holds up. It
should work fine; all cert packets are contained in inner flights, all
of which gnutls handles perfectly fine.




More information about the Gnutls-devel mailing list