New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase DTLS bios buffer size for large x509 #921
base: main
Are you sure you want to change the base?
Conversation
Are you sure it solves the issue portably? I would expect this code to just send a large UDP datagram which is undesirable, leading to IP fragmentation. Can you verify what happens with a Wireshark trace? |
I confirm, DTLS bio is working at application layer, not UDP/TCP layer, since february, I'm patching the code and it's working fine with Janus, the wireshark trace show multiple packet associated to the 8192 DTLS bio, so the MTU is well respected. |
In complement, ssl provide a bio_pending function dedicated to wait leaving packets: |
Hi @zucher, I'm a little concerned that raising the 1500 bytes arbitrary limit to another one won't fix fix the issue. Could we please have a unit test which demonstrates we are actually able to send / receive larger certificates? |
Hi @jlaine, unit test are not so easy to produce, are the pcap files not sufficient? |
And in complement, openssl documentation too? |
Unfortunately no they are not. I have put in a lot of effort to achieve 100% test coverage to ensure the code behaves as it should and new contributions need to do the same. I am of course willing to assist you in putting together the tests, but will not be able to write them for you to exercise a condition I have not yet encountered. Could you shed some light on what makes the certificates "large"? A first step would be to have aiortc generate such certificates so we can capture the failure case. |
@zucher I think all you need to do is create a large RSA certificate. The tests then could ensure that the MTU isn't exceeded / the certificate is fragmented across multiple UDP datagrams (not using IP fragmentation). |
As my two parties are going to be |
@jlaine ,you are right, had this issue as client due to a connection with a Janus server with such certificate, but if such certificate is use on aiortc side, probably the bio_write call might be also involved. I try to undersand the test suite to validate all cases. |
The actual solution is more complicated, see meetecho/janus-gateway#254 |
Solves the issue #828 for large X509 certificate such as RSA 4096 in DTLS exchanges