DTLS in gnutls

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Mar 11 20:59:55 CET 2011

 It seems that gnutls in master repository includes a fully
functional DTLS 1.0 (rfc4347) implementation. Kudos to Jonathan
for creating the initial functional implementation the current
implementation was built on.

Due to DTLS' requirements for handshake, several parts of
gnutls' handshake subsystem were rewritten to allow maximum
re-use between the two protocols (TLS and DTLS). DTLS'
handshake is asynchronous meaning that it might operate
even after gnutls_handshake() is terminated (e.g. retransmit
handshake packets lost by the peer) and this requires
substantial changes to how gnutls' functions can be
called in DTLS. Now I emulate the synchronous behavior
of gnutls_handshake() by waiting for few seconds for
possible retransmissions by peer, and this has the
disadvantage of gnutls_handshake() taking a fixed amount
of seconds irrespective of calculations, but requires
no semantic changes in the rest of the functions
(such as gnutls_record_recv()).

Another solution is to require a DTLS server/client to
call gnutls_record_recv() on every received record, even
if he wasn't expecting one for his application protocol
and reserve a special error code to indicate no data for

I don't like the latter change of semantics, but I cannot
see any obvious way of avoiding it... If you have suggestions
or ideas please let me know.

best regards,

More information about the Gnutls-devel mailing list