{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上一篇《詳解 WebRTC 傳輸安全機制:一文讀懂 DTLS 協議》詳細闡述了 DTLS。本文將結合 DTLS 開發中遇到的問題,詳細解讀 DTLS 的一些基礎概念以及 Fragment 的機制,並進一步深究 DTLS 協議。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作者|泰一","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"審校|進學、莫戰","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"前言","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最近在做 J 和 G 這兩套 RTC 系統的 DTLS-SRTP 握手加密工作,要求使用 CA 機構頒發的證書。在本機調試的過程中發現:G 系統使用 CA 證書,DTLS 握手成功,而 J 系統則握手失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"經過幾番調試與分析,定位到了原因:J 系統相較於 G 系統多了一個 TURN 轉發模塊,該模塊設置的接收緩衝區的上限值爲 1600 字節,而 CA 證書的大小則有近 3000 字節,因此 TURN 模塊轉發給客戶端的證書不完整,導致 DTLS 握手失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大家都知道, WebRTC 的 DTLS 使用的是","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"自簽名","attrs":{}},{"type":"text","text":"的證書,這個證書一般不會太大,如下圖所示,只有 286 字節。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a7/a742137d6106b9eaa358a23edd787c18.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,如果要使用 CA 頒發的證書,那麼這個證書可能會很大,如下圖所示,竟達到了 2772 字節,顯然超出了 TURN 模塊的接收緩衝區的大小。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/af/afc6657da3a0acd27f4f23c16405d9ac.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上圖中,你可能注意到了這個 CA 證書被分成了兩片(two fragments),這其實是 DTLS 協議層做的。不過值得思考的是,CA 證書的每一片的大小都未超出 TURN 模塊接收緩衝區的 1600 字節的限制,但是爲什麼 J 系統的 TURN 轉發模塊依然會接收失敗呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是因爲證書雖然被分片,但是在發送到 TURN 模塊時並沒有按照分片獨立發送,仍然是全部打包到了同一個 UDP 數據報中進行發送,所以接收肯定會失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面,我們將一起了解下 DTLS Fragment 的機制。首先要理清幾個概念。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Message、Record、Flight","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DTLS 協議分爲兩層:底層的 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246#section-6","title":"","type":null},"content":[{"type":"text","text":"record protocol","attrs":{}}]},{"type":"text","text":" 和上層的 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.4","title":"","type":null},"content":[{"type":"text","text":"handshake protocol","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.1","title":"","type":null},"content":[{"type":"text","text":"change cipher spec protocol","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.2","title":"","type":null},"content":[{"type":"text","text":"alert protocol","attrs":{}}]},{"type":"text","text":" 以及 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-10","title":"","type":null},"content":[{"type":"text","text":"application data protocol","attrs":{}}]},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/25/2598639d37b4ca1a62a42b116c3ac035.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:握手協議、密碼規格變更協議、警告協議、應用數據協議均在 DTLS 記錄協議的上層,這四種協議統稱爲 DTLS 握手協議。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Note:關於記錄和握手這兩層協議各自的作用,這裏就不再贅述,可以參考 ","attrs":{}},{"type":"link","attrs":{"href":"https://yuque.antfin-inc.com/docs/share/95d35c0d-57bb-4c13-b310-67cb16ab4b60?#0f152023","title":"","type":null},"content":[{"type":"text","text":"WebRTC 中 DTLS 的應用","attrs":{}}]},{"type":"text","text":"。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Message","attrs":{}},{"type":"text","text":" 是一條","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完整的","attrs":{}},{"type":"text","text":" DTLS 消息。比如握手消息:Client Hello、Certificate、Client Key Exchange 等;比如密碼規格變更消息:Change Cipher Spec。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Record","attrs":{}},{"type":"text","text":" 是記錄層(Record Layer)的概念,可以認爲它是一個殼子,裏面裝載着 DTLS Message,如下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/4089c29d87d1c134808c5f3c5a5c33c9.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Message 和 Record 是一對一或者一對多的關係","attrs":{}},{"type":"text","text":"。也就是說,一個 Record 不一定裝了一條完整的 Message。因爲有可能是多個 Record 組成一個完整的 Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果 Message 很小,未超過 MTU 的限制,那麼一個 Record 足以裝下一條 Message;如果 Message 很大,超過 MTU 的限制,那麼就需要多個 Record 來裝這條 Message。即這條 DTLS Message 會被分割爲多個 Fragment,然後分別裝入多個 Record。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:最大傳輸單元(Maximum transmission Unit, MTU)是數據鏈路層的概念,MTU 限制的是數據鏈路層的 payload 大小,也就是其上層協議的大小,比如 IP、ICMP。在以太網中,鏈路層的 MTU 是 1500 字節。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,Certificate 這個握手消息,證書大小很容易就超過 MTU 的限制,那麼這個消息就會被分割爲多個 Fragment 並被分別存放到多個 DTLS Record,每個 Fragment 的大小要保證不超過 MTU 的限制(PS:導讀的第二張圖就是一個實際的例子)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Flight","attrs":{}},{"type":"text","text":" 中文解釋爲 “航班” 或者 “航程”,是一個或者一組打包好的 Message,這組 Message 屬於同一個 “航程”,視爲一個整體,通過單個 UDP 數據報發送。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1b/1bf58f2c42643f9727184c808810aa67.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上圖所示,本次 DTLS 握手一共有 4 個 Flight。Flight2 是 Server Hello、Certificate、Server Hello Done 這三條 Message 的組合,其中 Certificate 這條 Message 被分割爲兩個 Fragment,裝到兩個 Record 中。Flight2 通過大小爲 2969 字節的 UDP 數據報發送出去。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:Flight2 這個 2969 字節的 UDP 包是在本機環境下調試、抓包得到的,並不代表 MTU 有這麼大,在實際的網絡中,不會出現這種遠超 MTU 限制的數據包。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"到這裏,關於 Message、Record、Flight 的概念就講完了,三者之間的關如下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/15/150ae10affb1dac307336a656861d9fb.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Fragment","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面我們談談,DTLS 爲什麼要對 DTLS Message 做分片。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們知道,受以太網 MTU 影響,UDP 數據報最大爲 1500 字節,超出這個限制就會被 IP 層分片(PS:以太網 MTU 設置爲 1500 字節是爲了最大化信道傳輸利用率)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是如果 IP 層分片機制被禁止呢?這就會導致大於 1500 字節的 UDP 數據報在 IP 層被丟棄。因此,DTLS 要對消息做分片,來滿足 IP 層對報文大小的要求。","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc6347#section-3.2.3","title":"","type":null},"content":[{"type":"text","text":"DTLS1.2: Message Size","attrs":{}}]},{"type":"text","text":" 這一節解釋了這個原因。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"By contrast, UDP datagrams are often limited to < 1500 bytes if IP fragmentation is not desired. In order to compensate for this limitation, each DTLS handshake message may be fragmented over several DTLS records, each of which is intended to fit in a single IP datagram.","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此,DTLS 的分片機制很簡單:在發送時把 DTLS Message 分割成多個連續的 DTLS Record,在接收時緩存分片,直到擁有完整的 DTLS Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以使用 OpenSSL 的這兩個 API 設置 MTU 的大小:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":"cpp"},"content":[{"type":"text","text":"SSL_set_options(dtls, SSL_OP_NO_QUERY_MTU);\nSSL_set_mtu(dtls, 1500);\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面的代碼設置了 MTU 爲 1500,那麼當 DTLS Message 大小超過 1500 字節,就會觸發 DTLS 的分片機制,同理,如果設置 MTU 爲 300,那麼當 DTLS Message 大小超過 300 字節,就會分片。如果不進行設置,那麼 MTU 會走默認值,如下圖所示,證書消息被分割成了若干個大小爲 288 字節的固定的 Fragment。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ee/ee05d61771c967734e6c0b3a8f14524a.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:TLS 底層是 TCP 協議,爲字節流式傳輸,因此 TLS 沒有消息分片機制。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們還可使用下面的 API 設置 Fragment 的大小的上限:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"cpp"},"content":[{"type":"text","text":"SSL_set_max_send_fragment(dtls, 1500);\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後,我們回到","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀","attrs":{}},{"type":"text","text":"描述的問題:證書消息實際上確實被分割爲兩片並分別存儲到兩個 Record,但是由於在發送的時候還是打包到了一個 UDP 數據報,因此,過大的 UDP 數據報導致 TURN 模塊並未接收完整。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更詳細的原因是:我們使用的是內存型的 BIO,在應用層調用 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"BIO_get_mem_data","attrs":{}}],"attrs":{}},{"type":"text","text":" 得到的是關於 DTLS Message 的一塊連續的內存(雖然這塊內存中的證書消息已經被 DTLS 切成兩個連續的 Fragment 並存在兩個 Record 中),而應用層在獲取到這塊內存後就直接通過 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"sendto","attrs":{}}],"attrs":{}},{"type":"text","text":" 函數發送給了對端,因此,這個 UDP 報文當然還是特別大,導致接收失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"回過頭來再看下","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀","attrs":{}},{"type":"text","text":"中證書消息分片的這張圖,兩個 Record 的 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"message sequence","attrs":{}}],"attrs":{}},{"type":"text","text":" 字段值相同,說明這是同一個 DTLS Message 的兩個 Fragment。且每個 Record 都有 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"fragment offset","attrs":{}}],"attrs":{}},{"type":"text","text":" 和 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"fragment length","attrs":{}}],"attrs":{}},{"type":"text","text":" 這兩個字段,用來標識分片的邊界。所以,我們可以根據這兩個字段去解析出每一個獨立的 Fragment。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然,根據 Record 頭部的 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"Length","attrs":{}}],"attrs":{}},{"type":"text","text":" 字段足以確定邊界,這會使應用層的解析更加方便。所以,要解決這個問題,應用層要做的是:對從 BIO 獲取到的這塊消息內存進行解析,得到每個 Record 的邊界,然後將每個 Record 以獨立的 UDP 報文發送出去。具體的解析代碼這裏就不貼出來了,非常簡單。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後,在實踐中發現,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Record 不能跨 UDP 數據報發送","attrs":{}},{"type":"text","text":",","attrs":{}},{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/html/rfc6347#section-4.1.1","title":"","type":null},"content":[{"type":"text","text":"DTLS 1.2: Transport Layer Mapping","attrs":{}}]},{"type":"text","text":" 這一節也交代了這一點。也就是說,應用層要嚴格的按照 Record 的邊界解析出每一個 Record,分別通過獨立的 UDP 數據報發送,而不能按照自己的意願隨意劃分爲若干個 UDP 數據報發送。因爲這可能會導致某個 DTLS Record 被切分到多個 UDP 數據報發送,從而導致接收端 DTLS 無法將收到的 DTLS Records 重組爲完整的 DTLS Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是 DTLS 分片獨立發送後的效果:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/83/83bf926d6d0a9ea8f6da31065cc20c8e.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有興趣的讀者可以參考我寫的 ","attrs":{}},{"type":"link","attrs":{"href":"github","title":"","type":null},"content":[{"type":"text","text":"DTLS demo","attrs":{}}]},{"type":"text","text":",它實現了簡單的 DTLS 握手和分片獨立發送。也可以參考 ","attrs":{}},{"type":"link","attrs":{"href":"https://github.com/ossrs/srs","title":"","type":null},"content":[{"type":"text","text":"開源視頻服務器 SRS","attrs":{}}]},{"type":"text","text":" 的 DTLS 實現,更加簡潔和詳盡。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於超過 MTU 限制的 DTLS Message,DTLS 會把它分割爲多個 Fragment, 並分別存儲到各個 DTLS Record 中,因此一個 Fragment 一定是一個 DTLS Record。對於未超過 MTU 限制的 DTLS Message,則不會被分片,也是存儲到 DTLS Record 中,因此一個 DTLS Record 不一定是一個 Fragment,也有可能是一個完整的 DTLS Message。另外,MTU 的大小以及 Fragment 的最大值都可以使用 OpenSSL 的 API 進行設置。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於我們通過內存型 BIO 獲取到了存儲了各個 DTLS Message 的這塊連續內存後,直接將其打包爲 Flight,並通過單獨的 UDP 數據報文發送,因此這個 UDP 包仍然還是那麼大,超出了 TURN 模塊接收緩衝區的上限和 MTU 的限制。所以爲了做到真正的分片獨立發送,需要應用層自己去做 Fragment 的解析(其實就是解析 Record 的邊界),並分別通過獨立的 UDP 報文發送。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"我們在解決了一個問題後,還要再問一下自己有沒有引入新的問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"獨立發送每個 DTLS Record,雖然解決了 DTLS Message 超過 MTU 限制的問題,但是這也增加了 UDP 報文的數量,因此丟包的概率也會相應的增加,DTLS 重傳次數增加,握手的成功率降低。解決這個問題的一個方法是:不必每個 DTLS Record 都單獨 UDP 發送,可以多個 DTLS Record 發送,只要能保證它們加起來的大小不超過 MTU 的限制就可以。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"我們也要問一下自己有沒有更好的方法","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如目前的解決方法是應用層自己實現 Record 解析並獨立發送,那麼 OpenSSL 是否已經有相關的 API 實現類似的功能,再比如 BIO 有沒有相關的 API 可以告訴我們讀取的內存數據中 Record 的數量以及每個 Record 的邊界?這個問題,以後有時間再調研吧。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"感謝閱讀。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"參考","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc6347","title":"","type":null},"content":[{"type":"text","text":"DTLS 1.2","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246","title":"","type":null},"content":[{"type":"text","text":"TLS 1.2","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"「視頻雲技術」你最值得關注的音視頻技術公衆號,每週推送來自阿里雲一線的實踐技術文章,在這裏與音視頻領域一流工程師交流切磋。公衆號後臺回覆【技術】可加入阿里雲視頻雲技術交流羣,和作者一起探討音視頻技術,獲取更多行業最新信息。","attrs":{}}]}],"attrs":{}}]}
上手 WebRTC DTLS 遇到很多 BUG?淺談 DTLS Fragment
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上一篇《詳解 WebRTC 傳輸安全機制:一文讀懂 DTLS 協議》詳細闡述了 DTLS。本文將結合 DTLS 開發中遇到的問題,詳細解讀 DTLS 的一些基礎概念以及 Fragment 的機制,並進一步深究 DTLS 協議。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作者|泰一","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"審校|進學、莫戰","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"前言","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最近在做 J 和 G 這兩套 RTC 系統的 DTLS-SRTP 握手加密工作,要求使用 CA 機構頒發的證書。在本機調試的過程中發現:G 系統使用 CA 證書,DTLS 握手成功,而 J 系統則握手失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"經過幾番調試與分析,定位到了原因:J 系統相較於 G 系統多了一個 TURN 轉發模塊,該模塊設置的接收緩衝區的上限值爲 1600 字節,而 CA 證書的大小則有近 3000 字節,因此 TURN 模塊轉發給客戶端的證書不完整,導致 DTLS 握手失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大家都知道, WebRTC 的 DTLS 使用的是","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"自簽名","attrs":{}},{"type":"text","text":"的證書,這個證書一般不會太大,如下圖所示,只有 286 字節。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a7/a742137d6106b9eaa358a23edd787c18.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,如果要使用 CA 頒發的證書,那麼這個證書可能會很大,如下圖所示,竟達到了 2772 字節,顯然超出了 TURN 模塊的接收緩衝區的大小。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/af/afc6657da3a0acd27f4f23c16405d9ac.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上圖中,你可能注意到了這個 CA 證書被分成了兩片(two fragments),這其實是 DTLS 協議層做的。不過值得思考的是,CA 證書的每一片的大小都未超出 TURN 模塊接收緩衝區的 1600 字節的限制,但是爲什麼 J 系統的 TURN 轉發模塊依然會接收失敗呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是因爲證書雖然被分片,但是在發送到 TURN 模塊時並沒有按照分片獨立發送,仍然是全部打包到了同一個 UDP 數據報中進行發送,所以接收肯定會失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面,我們將一起了解下 DTLS Fragment 的機制。首先要理清幾個概念。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Message、Record、Flight","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DTLS 協議分爲兩層:底層的 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246#section-6","title":"","type":null},"content":[{"type":"text","text":"record protocol","attrs":{}}]},{"type":"text","text":" 和上層的 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.4","title":"","type":null},"content":[{"type":"text","text":"handshake protocol","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.1","title":"","type":null},"content":[{"type":"text","text":"change cipher spec protocol","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-7.2","title":"","type":null},"content":[{"type":"text","text":"alert protocol","attrs":{}}]},{"type":"text","text":" 以及 ","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246?section-7.2#section-10","title":"","type":null},"content":[{"type":"text","text":"application data protocol","attrs":{}}]},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/25/2598639d37b4ca1a62a42b116c3ac035.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:握手協議、密碼規格變更協議、警告協議、應用數據協議均在 DTLS 記錄協議的上層,這四種協議統稱爲 DTLS 握手協議。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Note:關於記錄和握手這兩層協議各自的作用,這裏就不再贅述,可以參考 ","attrs":{}},{"type":"link","attrs":{"href":"https://yuque.antfin-inc.com/docs/share/95d35c0d-57bb-4c13-b310-67cb16ab4b60?#0f152023","title":"","type":null},"content":[{"type":"text","text":"WebRTC 中 DTLS 的應用","attrs":{}}]},{"type":"text","text":"。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Message","attrs":{}},{"type":"text","text":" 是一條","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完整的","attrs":{}},{"type":"text","text":" DTLS 消息。比如握手消息:Client Hello、Certificate、Client Key Exchange 等;比如密碼規格變更消息:Change Cipher Spec。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Record","attrs":{}},{"type":"text","text":" 是記錄層(Record Layer)的概念,可以認爲它是一個殼子,裏面裝載着 DTLS Message,如下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/4089c29d87d1c134808c5f3c5a5c33c9.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Message 和 Record 是一對一或者一對多的關係","attrs":{}},{"type":"text","text":"。也就是說,一個 Record 不一定裝了一條完整的 Message。因爲有可能是多個 Record 組成一個完整的 Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果 Message 很小,未超過 MTU 的限制,那麼一個 Record 足以裝下一條 Message;如果 Message 很大,超過 MTU 的限制,那麼就需要多個 Record 來裝這條 Message。即這條 DTLS Message 會被分割爲多個 Fragment,然後分別裝入多個 Record。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:最大傳輸單元(Maximum transmission Unit, MTU)是數據鏈路層的概念,MTU 限制的是數據鏈路層的 payload 大小,也就是其上層協議的大小,比如 IP、ICMP。在以太網中,鏈路層的 MTU 是 1500 字節。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,Certificate 這個握手消息,證書大小很容易就超過 MTU 的限制,那麼這個消息就會被分割爲多個 Fragment 並被分別存放到多個 DTLS Record,每個 Fragment 的大小要保證不超過 MTU 的限制(PS:導讀的第二張圖就是一個實際的例子)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Flight","attrs":{}},{"type":"text","text":" 中文解釋爲 “航班” 或者 “航程”,是一個或者一組打包好的 Message,這組 Message 屬於同一個 “航程”,視爲一個整體,通過單個 UDP 數據報發送。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1b/1bf58f2c42643f9727184c808810aa67.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如上圖所示,本次 DTLS 握手一共有 4 個 Flight。Flight2 是 Server Hello、Certificate、Server Hello Done 這三條 Message 的組合,其中 Certificate 這條 Message 被分割爲兩個 Fragment,裝到兩個 Record 中。Flight2 通過大小爲 2969 字節的 UDP 數據報發送出去。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:Flight2 這個 2969 字節的 UDP 包是在本機環境下調試、抓包得到的,並不代表 MTU 有這麼大,在實際的網絡中,不會出現這種遠超 MTU 限制的數據包。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"到這裏,關於 Message、Record、Flight 的概念就講完了,三者之間的關如下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/15/150ae10affb1dac307336a656861d9fb.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Fragment","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面我們談談,DTLS 爲什麼要對 DTLS Message 做分片。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們知道,受以太網 MTU 影響,UDP 數據報最大爲 1500 字節,超出這個限制就會被 IP 層分片(PS:以太網 MTU 設置爲 1500 字節是爲了最大化信道傳輸利用率)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是如果 IP 層分片機制被禁止呢?這就會導致大於 1500 字節的 UDP 數據報在 IP 層被丟棄。因此,DTLS 要對消息做分片,來滿足 IP 層對報文大小的要求。","attrs":{}},{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc6347#section-3.2.3","title":"","type":null},"content":[{"type":"text","text":"DTLS1.2: Message Size","attrs":{}}]},{"type":"text","text":" 這一節解釋了這個原因。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"By contrast, UDP datagrams are often limited to < 1500 bytes if IP fragmentation is not desired. In order to compensate for this limitation, each DTLS handshake message may be fragmented over several DTLS records, each of which is intended to fit in a single IP datagram.","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此,DTLS 的分片機制很簡單:在發送時把 DTLS Message 分割成多個連續的 DTLS Record,在接收時緩存分片,直到擁有完整的 DTLS Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以使用 OpenSSL 的這兩個 API 設置 MTU 的大小:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":"cpp"},"content":[{"type":"text","text":"SSL_set_options(dtls, SSL_OP_NO_QUERY_MTU);\nSSL_set_mtu(dtls, 1500);\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面的代碼設置了 MTU 爲 1500,那麼當 DTLS Message 大小超過 1500 字節,就會觸發 DTLS 的分片機制,同理,如果設置 MTU 爲 300,那麼當 DTLS Message 大小超過 300 字節,就會分片。如果不進行設置,那麼 MTU 會走默認值,如下圖所示,證書消息被分割成了若干個大小爲 288 字節的固定的 Fragment。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ee/ee05d61771c967734e6c0b3a8f14524a.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Remark:TLS 底層是 TCP 協議,爲字節流式傳輸,因此 TLS 沒有消息分片機制。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們還可使用下面的 API 設置 Fragment 的大小的上限:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"cpp"},"content":[{"type":"text","text":"SSL_set_max_send_fragment(dtls, 1500);\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後,我們回到","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀","attrs":{}},{"type":"text","text":"描述的問題:證書消息實際上確實被分割爲兩片並分別存儲到兩個 Record,但是由於在發送的時候還是打包到了一個 UDP 數據報,因此,過大的 UDP 數據報導致 TURN 模塊並未接收完整。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更詳細的原因是:我們使用的是內存型的 BIO,在應用層調用 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"BIO_get_mem_data","attrs":{}}],"attrs":{}},{"type":"text","text":" 得到的是關於 DTLS Message 的一塊連續的內存(雖然這塊內存中的證書消息已經被 DTLS 切成兩個連續的 Fragment 並存在兩個 Record 中),而應用層在獲取到這塊內存後就直接通過 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"sendto","attrs":{}}],"attrs":{}},{"type":"text","text":" 函數發送給了對端,因此,這個 UDP 報文當然還是特別大,導致接收失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"回過頭來再看下","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀","attrs":{}},{"type":"text","text":"中證書消息分片的這張圖,兩個 Record 的 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"message sequence","attrs":{}}],"attrs":{}},{"type":"text","text":" 字段值相同,說明這是同一個 DTLS Message 的兩個 Fragment。且每個 Record 都有 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"fragment offset","attrs":{}}],"attrs":{}},{"type":"text","text":" 和 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"fragment length","attrs":{}}],"attrs":{}},{"type":"text","text":" 這兩個字段,用來標識分片的邊界。所以,我們可以根據這兩個字段去解析出每一個獨立的 Fragment。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然,根據 Record 頭部的 ","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"Length","attrs":{}}],"attrs":{}},{"type":"text","text":" 字段足以確定邊界,這會使應用層的解析更加方便。所以,要解決這個問題,應用層要做的是:對從 BIO 獲取到的這塊消息內存進行解析,得到每個 Record 的邊界,然後將每個 Record 以獨立的 UDP 報文發送出去。具體的解析代碼這裏就不貼出來了,非常簡單。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後,在實踐中發現,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"DTLS Record 不能跨 UDP 數據報發送","attrs":{}},{"type":"text","text":",","attrs":{}},{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/html/rfc6347#section-4.1.1","title":"","type":null},"content":[{"type":"text","text":"DTLS 1.2: Transport Layer Mapping","attrs":{}}]},{"type":"text","text":" 這一節也交代了這一點。也就是說,應用層要嚴格的按照 Record 的邊界解析出每一個 Record,分別通過獨立的 UDP 數據報發送,而不能按照自己的意願隨意劃分爲若干個 UDP 數據報發送。因爲這可能會導致某個 DTLS Record 被切分到多個 UDP 數據報發送,從而導致接收端 DTLS 無法將收到的 DTLS Records 重組爲完整的 DTLS Message。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是 DTLS 分片獨立發送後的效果:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/83/83bf926d6d0a9ea8f6da31065cc20c8e.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有興趣的讀者可以參考我寫的 ","attrs":{}},{"type":"link","attrs":{"href":"github","title":"","type":null},"content":[{"type":"text","text":"DTLS demo","attrs":{}}]},{"type":"text","text":",它實現了簡單的 DTLS 握手和分片獨立發送。也可以參考 ","attrs":{}},{"type":"link","attrs":{"href":"https://github.com/ossrs/srs","title":"","type":null},"content":[{"type":"text","text":"開源視頻服務器 SRS","attrs":{}}]},{"type":"text","text":" 的 DTLS 實現,更加簡潔和詳盡。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於超過 MTU 限制的 DTLS Message,DTLS 會把它分割爲多個 Fragment, 並分別存儲到各個 DTLS Record 中,因此一個 Fragment 一定是一個 DTLS Record。對於未超過 MTU 限制的 DTLS Message,則不會被分片,也是存儲到 DTLS Record 中,因此一個 DTLS Record 不一定是一個 Fragment,也有可能是一個完整的 DTLS Message。另外,MTU 的大小以及 Fragment 的最大值都可以使用 OpenSSL 的 API 進行設置。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於我們通過內存型 BIO 獲取到了存儲了各個 DTLS Message 的這塊連續內存後,直接將其打包爲 Flight,並通過單獨的 UDP 數據報文發送,因此這個 UDP 包仍然還是那麼大,超出了 TURN 模塊接收緩衝區的上限和 MTU 的限制。所以爲了做到真正的分片獨立發送,需要應用層自己去做 Fragment 的解析(其實就是解析 Record 的邊界),並分別通過獨立的 UDP 報文發送。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"我們在解決了一個問題後,還要再問一下自己有沒有引入新的問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"獨立發送每個 DTLS Record,雖然解決了 DTLS Message 超過 MTU 限制的問題,但是這也增加了 UDP 報文的數量,因此丟包的概率也會相應的增加,DTLS 重傳次數增加,握手的成功率降低。解決這個問題的一個方法是:不必每個 DTLS Record 都單獨 UDP 發送,可以多個 DTLS Record 發送,只要能保證它們加起來的大小不超過 MTU 的限制就可以。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"我們也要問一下自己有沒有更好的方法","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如目前的解決方法是應用層自己實現 Record 解析並獨立發送,那麼 OpenSSL 是否已經有相關的 API 實現類似的功能,再比如 BIO 有沒有相關的 API 可以告訴我們讀取的內存數據中 Record 的數量以及每個 Record 的邊界?這個問題,以後有時間再調研吧。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"感謝閱讀。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"參考","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc6347","title":"","type":null},"content":[{"type":"text","text":"DTLS 1.2","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://tools.ietf.org/html/rfc5246","title":"","type":null},"content":[{"type":"text","text":"TLS 1.2","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"「視頻雲技術」你最值得關注的音視頻技術公衆號,每週推送來自阿里雲一線的實踐技術文章,在這裏與音視頻領域一流工程師交流切磋。公衆號後臺回覆【技術】可加入阿里雲視頻雲技術交流羣,和作者一起探討音視頻技術,獲取更多行業最新信息。","attrs":{}}]}],"attrs":{}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章