[gnutls-help] DTLS retransmission issue with gnutls-cli

Manuel Pégourié-Gonnard mpg at polarssl.org
Wed Oct 1 00:11:36 CEST 2014


Using gnutls-cli version 3.3.8, I observed the following behaviour: if the
handshake flight starting with (Client)Certificate and ending with
(Client)Finished is lost (it is sent in a single UDP datagram), then gnutls-cli
never retransmits it, and the handshake eventually times out after about 40 seconds.

The expected behaviour would be for the client to retransmit the lost flight.

The problem was observed using a UDP proxy that drops and delay packets
pseudo-randomly. A capture of the failed handshake is available at:


The server (gnutls-serv in this case) is listening on port 4433, and the proxy
on port 5556. So, the communication as seen by the client can be obtained by
filtering on udp.dstport == 5556 || udp.srcport == 5556 in wireshark. The
client's output ends with:

- Successfully sent 0 certificate(s) to server.
|<1>| Discarded replayed handshake packet with sequence 1
|<1>| Discarded replayed handshake packet with sequence 5
*** Fatal error: The operation timed out
*** Handshake has failed
GnuTLS error: The operation timed out

Please let me know if you need more information about the problem. It's probably
possible to reproduce it using dtls-stress from the GnuTLS test utilities, but I
didn't try.

I never observed a similar behaviour (not retransmitting when needed) with
gnutls-serv so far.


More information about the Gnutls-help mailing list