AcornSSL

I’ve been working (on and off) on AcornSSL for a while now, adding new functionality. I got server operation going (for TCP), and recently I’ve added DTLS client and server functionality. With some shortcomings, as you’ll see below.

None of this is anywhere near release yet, but if anyone would like to test any of the new stuff, please contact me and I’ll send you a module and docs when I think it’s at an appropriate level of stability and has adequate documentation.

I’d appreciate any help or clues as to the following issues, please:

1) In DTLS server, although the certificate chain I’m giving it is quite short, nevertheless it seems to send far more certs during the cert exchange. These clearly come from the main InetDBase:CertData file, because if I temporarily replace the latter with my short cert file, the cert data are much shorter. InetDBase:CertData is loaded by the module at startup. I thought the certs were isolated to the context that is part of the SSL handle. This is clearly not the case. Does anyone know why, and if there’s anything I can do about it?

2) A consequence of the extra certs being sent is that it wants to send a datagram of about 18000 bytes. Although UDP can of course support ordinary (i.e. non-jumbo) datagrams of nearly 64kiB, any attempt to send ~18000 results not in mere fragmentation of the datagram, but a hard error, EMSGSIZE. I can call mbedtls_ssl_set_mtu() to set the MTU to 8000, but why do I need to? I haven’t done exhaustive tests to find the highest MTU that works, but e.g. 1200, 2000 and 8000 work, but 16000 results in EMSGSIZE. Does anyone know where the limit is applied?

3) I think there’s a third problem in that sending the extra cert data takes time, and causes the handshake process to get out of step. I think I may have to take this up on the mbedTLS mailing list… unless anyone here knows anything? I can’t be sure of what’s going on until I can solve the first two.

Some more digging has revealed that standards (probably actually RFCs) limit the maximum message size to 16384. This is in the comments within the mbedTLS library code. A solution to (1) above is going to be needed.

I think I’ve got the solution to (1).

Glad to see you are making progress. I can’t offer to help test anything at the moment, but I just wanted to post to let you know your work is appreciated!