Increase DTLS bios buffer size for large x509

[zucher]

Solves the issue #828 for large X509 certificate such as RSA 4096 in DTLS exchanges

[lgrahl]

Are you sure it solves the issue portably? I would expect this code to just send a large UDP datagram which is undesirable, leading to IP fragmentation. Can you verify what happens with a Wireshark trace?

[zucher]

I confirm, DTLS bio is working at application layer, not UDP/TCP layer, since february, I'm patching the code and it's working fine with Janus, the wireshark trace show multiple packet associated to the 8192 DTLS bio, so the MTU is well respected.

[zucher]

In complement, ssl provide a bio_pending function dedicated to wait leaving packets:
https://www.openssl.org/docs/man3.0/man3/BIO_pending.html and this function confirm the capability to receive or send multiple UDP packets if the content is larger than an MTU

[jlaine]

Hi @zucher, I'm a little concerned that raising the 1500 bytes arbitrary limit to another one won't fix fix the issue. Could we please have a unit test which demonstrates we are actually able to send / receive larger certificates?

[zucher]

Hi @jlaine, unit test are not so easy to produce, are the pcap files not sufficient?

[zucher]

And in complement, openssl documentation too?

[jlaine]

Hi @jlaine, unit test are not so easy to produce, are the pcap files not sufficient?

Unfortunately no they are not. I have put in a lot of effort to achieve 100% test coverage to ensure the code behaves as it should and new contributions need to do the same.

I am of course willing to assist you in putting together the tests, but will not be able to write them for you to exercise a condition I have not yet encountered. Could you shed some light on what makes the certificates "large"? A first step would be to have aiortc generate such certificates so we can capture the failure case.

[lgrahl]

@zucher I think all you need to do is create a large RSA certificate. The tests then could ensure that the MTU isn't exceeded / the certificate is fragmented across multiple UDP datagrams (not using IP fragmentation).

[jlaine]

@zucher I think all you need to do is create a large RSA certificate. The tests then could ensure that the MTU isn't exceeded / the certificate is fragmented across multiple UDP datagrams (not using IP fragmentation).

As my two parties are going to be aiortc I'd really like to understand why this line in the proposed PR is the one being changed, as this is very much for sending data:

https://github.com/aiortc/aiortc/pull/921/files#diff-4637ab9c11f102ccb8bcc021ce74a3460d8c84d18f7d6bf67a02d618debee1f8R619

[zucher]

@jlaine ,you are right, had this issue as client due to a connection with a Janus server with such certificate, but if such certificate is use on aiortc side, probably the bio_write call might be also involved. I try to undersand the test suite to validate all cases.

[fippo]

The actual solution is more complicated, see meetecho/janus-gateway#254
Avoiding RSA certificates is much easier