ANN: PyDTLS

Guido van Rossum guido at python.org
Wed Jan 9 11:10:07 EST 2013 

On Tue, Jan 8, 2013 at 11:38 PM, rbit <py at liquibits.com> wrote:
> On Tue, Jan 8, 2013 at 9:09 PM, Guido van Rossum <guido at python.org> wrote:
>> But don't you have to deal with that when doing synchronous I/O as
>> well? It's a datagram protocol after all.
>
> No: when dealing with blocking sockets, the OpenSSL library activates its
> own retransmission timers, and the application never becomes aware of
> whether timeouts occurred. Since OpenSSL can't do this in the the case of
> non-blocking sockets, it becomes the application's problem to call back into
> OpenSSL at some point in the future (the very same time for which OpenSSL
> would have set its own timeout had the socket been blocking). OpenSSL
> exports functions DTLSv1_get_timeout and DTLSv1_handle_timeout to
> applications to address this case. The timeouts start at one second, and
> double for each encountered timeout, until the timeout ceiling of one
> minutes is reached. I'm using the term "application" here for any code that
> uses the OpenSSL library, but is not part of it.

Got it.

>>> One
>>> such situation occurs during DTLS's handshaking phase: if no response
>>> is received from the peer after some period of time, we must assume
>>> that our most recent datagram has been lost, and so we need to
>>> retransmit.
>>
>> Is this something the transport can handle, or does the protocol (and
>> hence the application) need to be involved here?
>
> Given my current understanding of the PEP, I think this can be handled in
> the transport. Maybe there's some pitfall here that I can't quite see yet -
> even more reason for me to try to implement it.

Yes -- I won't considered the PEP ready for acceptance until several
people have successfully implemented new protocols using it and agree
that they can do everything they need. (I want to get started with a
decent HTTP client and server myself.)

>>> The event loop interface as outlined in the PEP makes this
>>> a bit difficult (as did the asyncore module). One possible way to make
>>> things easier would be by adding two parameters to add_reader: a
>>> callable to retrieve the current timeout, and a callable that is
>>> invoked if that timeout expires before the descriptor becomes
>>> readable. Each loop iteration would then collect all given timeouts,
>>> and pass the minimum of that set to whatever polling facility it
>>> invokes. If that timeout expires, the corresponding timeout handler
>>> would be invoked prior to the next loop iteration.
>>
>> Hm, this would add a fair amount of complexity to the event loop. It's
>> true that I don't have the complete story for timeouts yet, but I am
>> hopeful that things like this can be implemented by using call_later()
>> with some callback that does the retransmit (and resets some internal
>> state), and cancelling that callback whenever a packet is received
>> (i.e. in the protocol's datagram_received() method).
>
> Yes, ok, I can see how that could work, too. I thought that it might make
> sense to centralize handling timeouts in the event loop in order to prevent
> proliferation in the transports (since there are multiple event loop
> implementations, perhaps a mix-in would be good?).

A mix-in for what? Each event loop presumably already has its own
timer implementation; call_later() and call_repeatedly() are supported
in one way or another by all other event loops I'm aware of.

We'll have to have more experience with writing transports and
protocols before we'll know what is really missing.

> I think one will want to
> contain handshake (vs. application data) timeout handling at least to the
> transport, though, and not let it spill over into various protocols. I'm not
> sure yet where the right place is for cancelling a timeout callback.

This seems pretty unique to your TLS-over-UDP use case. I am quite
sure that you can write a transport that suits your purpose with just
the socket, callback and timer primitives in the PEP.

>>> Implementing DTLS as a tulip transport sounds interesting. Is the
>>> tulip package available somewhere so that I can try it out?
>>
>> Absolutely -- it is very much in flux, but you can check out the
>> latest source from http://code.google.com/p/tulip/source/checkout
>> using Mercurial.
>
> All right, thanks, I'll check it out.

Looking forward to your feedback!

-- 
--Guido van Rossum (python.org/~guido)

More information about the Python-list mailing list