The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
authorMatt Caswell <matt@openssl.org>
Mon, 1 Dec 2014 11:13:15 +0000 (11:13 +0000)
committerMatt Caswell <matt@openssl.org>
Wed, 3 Dec 2014 09:32:48 +0000 (09:32 +0000)
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a6e9c645dc0507cad6092d99c9af8f5)

ssl/d1_both.c
ssl/d1_lib.c

index 99a031c..4e68a29 100644 (file)
@@ -350,10 +350,17 @@ int dtls1_do_write(SSL *s, int type)
                         */
                        if ( BIO_ctrl(SSL_get_wbio(s),
                                BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
-                               s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
-                                       BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+                               {
+                               if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+                                       s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
+                                               BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+                               else
+                                       return -1;
+                               }
                        else
+                               {
                                return(-1);
+                               }
                        }
                else
                        {
index f7d681b..1e1c32a 100644 (file)
@@ -416,7 +416,8 @@ int dtls1_check_timeout_num(SSL *s)
        s->d1->timeout.num_alerts++;
 
        /* Reduce MTU after 2 unsuccessful retransmissions */
-       if (s->d1->timeout.num_alerts > 2)
+       if (s->d1->timeout.num_alerts > 2
+                       && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
                {
                s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);               
                }