A simple dtls server/client program implemented with openssl library.
A custom bio is used to expose underlying bio ctrl and packet transmission.
CA is used to verify server and client.
UDP server and client.
Prerequisite
- a working c compiler and make
- openssl with header files
- readline library for client
apt-get install build-essential openssl libssl-dev libreadline-dev
Build
make
Run
start server with a list of addresses to listen
./server 127.0.0.1:1234 # listen on local loopback ipv4 port 1234
./server [::1]:1234 # listen on local loopback ipv6 port 1234
./server 127.0.0.1:1234 [::1]:1234 # listen on multiple port
./server [::]:1234 # listen on any interface both ipv4/ipv6 port 1234
start client with target server
./client 127.0.0.1:1234 # connect to local server on port 1234
once connected, some simple commands could be issued from client terminal
ping
returnspong
echo <some text>
returns<some text>
whoami
returns client's address and port seen by serverstats
returns a list of server currently serving clientsbc <some text>
broadcast<some text>
to all clients
ctrl-d could be used to stop client
ctrl-c could be used to stop server or client
certs can be regenerated by
make delete-certs
make certs
Bugs
The commands used in Makefile to generate certificates are not supposed to be good practice, test use only.
A 2000 byte buffer size is hardcoded in program, an approaching sized message would fail to be sent or received. This is program's bug, neither DTLS nor UDP has this limitation. Although packet fragmentation should be avoided.
For simplicity, SSL timeout controls on bio were ignored. Although openssl library would automatically handle state machine, (in this program) this is only triggered on write or received packet events. Resulting
- a long polling receiver might fail to receive new message until next write (requiring periodical read write to trigger state machine update)
- a client failed to notify shutdown would left on server's list forever (missing dead peer detection)
Pitfalls
[::]
would listen on both ipv6 and ipv4, so it would conflict with other addresses with same port, even ipv4 addresses.
Although the built executables could work with different version of openssl library, it is recommended to rebuild in different environment. For example, openssl changed the value of macro defined const BIO_CTRL_DGRAM_SET_PEEK_MODE
between 1.1.0f and 1.1.0g, this would "not" break ABI compatability but definitely would let related function misbehave.
frm https://github.com/stepheny/openssl-dtls-custom-bio
No comments:
Post a Comment