Fix dtls fragmented certificate (#926)

lynckia · Jun 21, 2017 · ee36400 · ee36400
1 parent 44ad4ac
commit ee36400
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 10 deletions.
diff --git a/erizo/src/erizo/dtls/DtlsClient.cpp b/erizo/src/erizo/dtls/DtlsClient.cpp
@@ -60,7 +60,7 @@ void SSLInfoCallback(const SSL* s, int where, int ret) {
     if (ret == 0) {
       ELOG_WARN2(sslLogger, "failed in %s", SSL_state_string_long(s));
     } else if (ret < 0) {
-      ELOG_WARN2(sslLogger, "error in %s", SSL_state_string_long(s));
+      ELOG_INFO2(sslLogger, "callback for %s", SSL_state_string_long(s));
     }
   }
 }
@@ -73,7 +73,7 @@ int SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
     int err = X509_STORE_CTX_get_error(store);
     X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
     X509_NAME_oneline(X509_get_subject_name(cert), data2, sizeof(data2));
-    ELOG_DEBUG2(sslLogger, "Error with certificate at depth: %d, issuer: %s, subject: %s, err: %d : %s",
+    ELOG_DEBUG2(sslLogger, "Callback with certificate at depth: %d, issuer: %s, subject: %s, err: %d : %s",
     depth,
     data,
     data2,
@@ -95,8 +95,6 @@ int SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
     // X509* cert = X509_STORE_CTX_get_current_cert(store);
     int err = X509_STORE_CTX_get_error(store);
 
-    ELOG_DEBUG2(sslLogger, "Error: %d", X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
-
     // peer-to-peer mode: allow the certificate to be self-signed,
     // assuming it matches the digest that was specified.
     if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
@@ -236,17 +234,18 @@ int createCert(const std::string& pAor, int expireDays, int keyLen, X509*& outCe
     SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
       SSLVerifyCallback);
 
+    SSL_CTX_set_options(mContext, SSL_OP_NO_QUERY_MTU);
       // SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF);
       // SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET);
       // Set SRTP profiles
-      r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
-      assert(r == 0);
+    r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
+    assert(r == 0);
 
-      SSL_CTX_set_verify_depth(mContext, 2);
-      SSL_CTX_set_read_ahead(mContext, 1);
+    SSL_CTX_set_verify_depth(mContext, 2);
+    SSL_CTX_set_read_ahead(mContext, 1);
 
-      ELOG_DEBUG("DtlsSocketContext created");
-    }
+    ELOG_DEBUG("DtlsSocketContext created");
+  }
 
     DtlsSocketContext::~DtlsSocketContext() {
       mSocket->close();

diff --git a/erizo/src/erizo/dtls/DtlsSocket.cpp b/erizo/src/erizo/dtls/DtlsSocket.cpp
@@ -31,6 +31,7 @@ DtlsSocket::DtlsSocket(DtlsSocketContext* socketContext, enum SocketType type):
   assert(mContext);
   mSsl = SSL_new(mContext);
   assert(mSsl != 0);
+  SSL_set_mtu(mSsl, DTLS_MTU);
   mSsl->ctx = mContext;
   mSsl->session_ctx = mContext;
 
@@ -132,6 +133,10 @@ void DtlsSocket::doHandshakeIteration() {
   // See what was written
   unsigned char *outBioData;
   int outBioLen = BIO_get_mem_data(mOutBio, &outBioData);
+  if (outBioLen > DTLS_MTU) {
+    ELOG_WARN("message: BIO data bigger than MTU - packet could be lost, outBioLen %u, MTU %u",
+        outBioLen, DTLS_MTU);
+  }
 
   // Now handle handshake errors */
   switch (sslerr = SSL_get_error(mSsl, r)) {

diff --git a/erizo/src/erizo/dtls/DtlsSocket.h b/erizo/src/erizo/dtls/DtlsSocket.h
@@ -21,6 +21,7 @@ extern "C" {
 
 const int SRTP_MASTER_KEY_KEY_LEN = 16;
 const int SRTP_MASTER_KEY_SALT_LEN = 14;
+static const int DTLS_MTU = 1472;
 
 namespace dtls {
 class DtlsSocketContext;