MTU mismatch with 7.08 and "Unknown DTLS packet"
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Sun Jan 7 01:46:50 PST 2018
On Sat, Jan 6, 2018 at 4:01 PM, Chaskiel Grundman <cgrundman at gmail.com> wrote:
> I did not test your patch, though I assume it would work, because I
> did not want to reinforce the idea that the VPN gateway is doing
> something wrong. Instead, I continued my own investigation.
>
> It turns out that in gnutls 3.5.8, gnutls_dtls_get_data_mtu() does not
> return the same value that was passed to gnutls_dtls_set_data_mtu():
Could you be more specific which code path you are referring to? As
far as I see openconnect seems to call gnutls_dtls_set_mtu(), as well
as gnutls_dtls_set_data_mtu() on different code paths.
> I assume this is because when gnutls_dtls_get_data_mtu tries to
> recover the data mtu from the internal mtu, it calculates the overhead
> based on the currently set internal mtu, not the originally requested
> data mtu. If the padding for those sizes is different, the wrong
> result will be returned.
The set_data_mtu() sets the number of bytes that can be transferred
encapsulated within DTLS layer. The set_mtu() sets instead the maximum
number of bytes that a DTLS message can be.
> I think that openconnect should try to detect over-large incoming DTLS
> packets and log or discard them.
That's an option too. Failing as it is now, is quite sub-optimal.
regards,
Nikos
More information about the openconnect-devel
mailing list