The sockaddr structure can be used to create a new socket, connected to this client, which is used to replace the listening socket in the BIO object. When the client repeats its ClientHello with a valid cookie attached, the function will return 1 and the sockaddr structure of the verifed client. The new function DTLSv1_listen() waits for incoming ClientHellos on the listening socket, responds with a HelloVerifyRequest and returns 0, which indicates that no client has been verifed yet and it needs to be called again to continue listening.ĭTLSv1_listen() がソケットでの ClientHello の受信を待ち、 HelloVerifyRequest を返信して 0 を返す。 The cookie exchange is not enabled by default and has to be enabled with the corresponding option. Then a new SSL object is created using the previously set up context, to which the BIO object is assigned.
* Wait for incoming connections */ while (! DTLSv1_listen(ssl, &client_addr)) Īt frst, BIO_new_dgram() is used instead of BIO_new() to create a UDP specifc BIO. * Enable cookie exchange */ SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) Int fd = socket(AF_INET6, SOCK_DGRAM, 0) īind(fd, &server_addr, sizeof( struct sockaddr_in6)) īIO *bio = BIO_new_dgram(fd, BIO_NOCLOSE) The signatures of the callback functions are as follows: The content is arbitrary, but for security reasons it should contain the client's address, a timestamp and should be signed. When a cookie has to be generated for a HelloVerifyRequest, the generate_cookie() function is called and after receiving a cookie attached to a ClientHello the verify_cookie() function. The other callback functions, generate_cookie() and verify_cookie(), are used for the cookie handling. In case the certifcate is not trusted, the handshake and therefore the connection setup will fail. Usually the program will print certifcate details and ask the user if he trusts it, or maintains a database of known certifcates. This function has to verify the certifcate and returns 1 if trusted or 0 otherwise. The frst function, verify_cert(), is called every time a certifcate has been received. Note that three callback functions have been used, that is verify_cert(), generate_cookie() and verify_cookie(). SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie) SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie) * Server: Client has to authenticate */ /* Client: verify server's certificate */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cert)
SSL_CTX_use_PrivateKey_file(ctx, "key.pem ", SSL_FILETYPE_PEM) ***** BOTH **** */ /* Load certificates and key */ SSL_CTX_use_certificate_chain_file(ctx, "cert.pem ") Ctx = SSL_CTX_new(DTLSv1_server_method()) Ĭtx = SSL_CTX_new(DTLSv1_client_method())