Issue when using DTLS - Githubissues

ninenines / ranch

Socket acceptor pool for TCP protocols.

ISC License

1.19k stars 336 forks source link

Issue when using DTLS #344

Open Lazarus404 opened 1 year ago

Lazarus404 commented 1 year ago

Hey guys,

I'm using Ranch successfully for both TCP and TLS in an Elixir project. However, if I pass {:protocol, :dtls} to the opts for DTLS, then the connection fails with:

Failed to start Ranch listener "dtls_listener" in :ranch_ssl:listen(%{socket_opts: [cacerts: :..., key: :..., cert: :..., port: 8080, protocol: :dtls, certfile: "certs/test-cert.pem", keyfile: "certs/test-key.pem"]}) for reason {:options, {:not_supported, {:packet, :raw}}} (unknown POSIX error)

I'm running on a Mac, hence the POSIX error (which I'm sure you can reason yourself). However, I can't seem to find what might be wrong with my code to cause this crash. I've tried setting no opts except the :protocol, and it still errors the same. Do I need to set something else to make this work?

Thanks

voluntas commented 1 year ago

@Lazarus404 DTLS is primarily a cryptographic protocol for UDP, while Ranch provides a mechanism based on TCP. It is not strange that it does not work.

Why are you trying to use DTLS with Ranch?

Lazarus404 commented 1 year ago

because the documentation suggests that it works (protocol: :tcp or :dtls) and because I need DTLS support in my app. Support for DTLS would mean I don't have to build my own acceptor dispatcher etc. The handling of DTLS packets isn't dissimilar to TCP / TLS. If Ranch doesn't support DTLS, then I'll have to build my own acceptor dispatcher and I may as well not use Ranch at all.

voluntas commented 1 year ago

I see that the documentation does indeed allow DTLS to be specified, but it seems to me that this is probably just because the SSL library allows it to be specified.

I don't think Ranch can do what you want, since Ranch is based on TCP.

A side note ...

I have my own Erlang implementation of the DTLS protocol, but if you want to use DTLS with TURN or WebRTC, I suggest you fork the OTP ssl library or implement a binding such as OpenSSL.

Lazarus404 commented 1 year ago

Okay, thanks.

essen commented 1 year ago

It has not been tested with DTLS and likely does not work with it. If it's impossible to make Ranch able to do DTLS without significant changes then we should perhaps drop the atom from the documentation.

Lazarus404 commented 1 year ago

I do have an app that uses DTLS alongside TLS that handles packet fragmentation. However, I've not got the time to work this into Ranch at the moment. Maybe in December I could find some time?