Search the Asterisk Blog

Support for large certificate sizes in DTLS now available!

By Joshua C. Colp

When DTLS support in Asterisk was added the information about how to use DTLS support in OpenSSL was not as flushed out as it is today. To that end the implementation was written to use OpenSSL memory buffers. These are places for OpenSSL to place received data or for OpenSSL to consult when sending a packet. These worked perfectly fine for a period of time until certificate sizes increased. Memory buffers are inherently unaware of packet sizes or boundaries, so when consulted they return the full packet itself. This pushes fragmentation down to the TCP/IP layer which is problematic. To support large certificate sizes this needed to be changed.

The DTLS support now implements its own BIO (an I/O abstraction defined by OpenSSL) that supports fragmentation for the sending of traffic. When queried the BIO returns a configured MTU (dtls_mtu in rtp.conf) which informs OpenSSL that it should fragment the packet itself, instead of relying on the TCP/IP layer. Once fragmented the packet is given to Asterisk for sending out. This allows large certificates to be fragmented at the DTLS layer instead of the TCP/IP layer allowing them to work as expected. If you’ve had certificate problems in the past I suggest giving the latest version of Asterisk a try and seeing if they are resolved. If not don’t hesitate to file an issue on the Asterisk issue tracker!

There Are 2 Comments

Add to the Discussion

Your email address will not be published. Required fields are marked *

About the Author

Joshua C. Colp

Joshua Colp is a Senior Software Developer at Digium and a long time Asterisk developer. He originally started in the community submitting simple patches and grew into improving and creating new core components of Asterisk itself. He is a self-taught programmer who believes in finding the balance between doing things the way they should be done and doing what is right for the people using the software. In his spare time he enjoys smashing fax machines.

See All of Joshua C.'s Articles