1
我有一個演示代碼dtls,它適用於ipv4。但是在我修改爲ipv6後,它在握手階段失敗。 服務器這樣的代碼:在ipv6 DTLS握手失敗
SSL_load_error_strings();
SSL_library_init();
SSL_CTX *ctx = SSL_CTX_new(DTLSv1_server_method());
if(SSL_CTX_use_certificate_chain_file(ctx, "path/to/crt") !=1)
ERR_print_errors_fp(stderr);
if(SSL_CTX_use_PrivateKey_file(ctx, "path/to/key", SSL_FILETYPE_PEM) != 1)
ERR_print_errors_fp(stderr);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cert);
SSL_CTX_set_read_ahead(ctx, 1);
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie);
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
SSL_CTX_set_cipher_list(ctx, "ALL:NULL:eNULL:aNULL");
int fd = socket(AF_INET6, SOCK_DGRAM, 0);
struct sockaddr_in6 server_addr;
memset(&server_addr, 0, sizeof(server_addr));
server_addr.sin6_family = AF_INET6;
server_addr.sin6_port = htons(MYPORT);
server_addr.sin6_addr = in6addr_any;
int flag = 1;
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof(flag)) < 0)
perror("server reuse addr");
#ifdef SO_REUSEPORT
if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &flag, sizeof(flag)) < 0)
perror("server reuse port");
#endif
if(bind(fd, (struct sockaddr *)&server_addr, sizeof(server_addr)))
perror("bind server fd");
BIO *bio = BIO_new_dgram(fd, BIO_NOCLOSE);
SSL *ssl = SSL_new(ctx);
SSL_set_bio(ssl, bio, bio);
/* Enable cookie exchange */
SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
fprintf(stderr, "Wait for incoming connections\n");
struct sockaddr_in6 client_addr;
while(1){
int ret = DTLSv1_listen(ssl, &client_addr);
if(ret < 0){
ERR_print_errors_fp(stderr);
}
if(ret > 0)
break;
}
fprintf(stderr, "Handle client connection\n");
int client_fd = socket(client_addr.sin6_family, SOCK_DGRAM, 0);
if (setsockopt(client_fd, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof(flag)) < 0)
perror("reuse addr");
#ifdef SO_REUSEPORT
if (setsockopt(client_fd, SOL_SOCKET, SO_REUSEPORT, &flag, sizeof(flag)) < 0)
perror("reuse port");
#endif
if(bind(client_fd, (struct sockaddr *)&server_addr, sizeof(server_addr)))
perror("bind client fd");
if(connect(client_fd, (struct sockaddr *)&client_addr, sizeof(client_addr)))
perror("connect client");
BIO *cbio = SSL_get_rbio(ssl);
BIO_set_fd(cbio, client_fd, BIO_NOCLOSE);
BIO_ctrl(cbio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr);
fprintf(stderr, "waiting SSL_accept\n");
if(SSL_accept(ssl)!=1){
ERR_print_errors_fp(stderr);
}
fprintf(stderr, "SSL_accept completed\n");
和客戶端的代碼是:
SSL_load_error_strings();
SSL_library_init();
SSL_CTX *ctx = SSL_CTX_new(DTLSv1_client_method());
SSL_CTX_set_read_ahead(ctx, 1);
union {
struct sockaddr_storage ss;
struct sockaddr_in6 s6;
struct sockaddr_in s4;
} server_addr;
int fd;
memset(&server_addr, 0, sizeof(server_addr));
if(inet_pton(AF_INET, argv[1], &server_addr.s4.sin_addr) == 1){
fd = socket(AF_INET, SOCK_DGRAM, 0);
server_addr.s4.sin_family = AF_INET;
server_addr.s4.sin_port = htons(MYPORT);
}else if(inet_pton(AF_INET6, argv[1], &server_addr.s6.sin6_addr) ==1){
fd = socket(AF_INET6, SOCK_DGRAM, 0);
server_addr.s6.sin6_family = AF_INET6;
server_addr.s6.sin6_port = htons(MYPORT);
}else{
fprintf(stderr, "Wrong ip format\n");
return 1;
}
if(connect(fd, (struct sockaddr*)&server_addr, sizeof(server_addr)))
perror("connect");
BIO *bio = BIO_new_dgram(fd, BIO_NOCLOSE);
BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &server_addr);
SSL *ssl = SSL_new(ctx);
SSL_set_bio(ssl, bio, bio);
fprintf(stderr, "waiting SSL_connect\n");
if(SSL_connect(ssl)!=1)
ERR_print_errors_fp(stderr);
fprintf(stderr, "SSL connected\n");
似乎在SSL_accept並沒有所以SSL_connect回報。 我通過僅將sockaddr_in更改爲sockaddr_in6來修改了代碼。 OpenSSL的版本是:在Linux上
1.0.2h我也抓住了使用Wireshark的包: 
有人能告訴我什麼是錯誤的代碼?
DTLS在1.0.2及更低版本中遇到了一些問題。我似乎回想起他們在OpenSSL郵件列表中討論並修復。 [OpenSSL Master](http://openssl.org/source/gitrepo.html)應該沒問題。我不記得它是否被移植回1.0.2及更低版本。我會先嚐試法師,看看是否清除問題。另外,你可以使用's_client'和's_server'建立連接嗎? – jww
@jww我找不到一個arg來讓s_sever綁定一個ipv6端口。而s_client也無法連接到我的服務器。 – choury