When DTLS support in Asterisk was added the information about how to use DTLS support in OpenSSL was not as flushed out as it is today. To that end the implementation was written to use OpenSSL memory buffers. These are places for OpenSSL to place received data or for OpenSSL to consult when sending a packet. These worked perfectly fine for a period of time until certificate sizes increased. Memory buffers are inherently unaware of packet sizes or boundaries, so when consulted they return the full packet itself. This pushes fragmentation down to the TCP/IP layer which is problematic. To support large certificate sizes this needed to be changed.

The DTLS support now implements its own BIO (an I/O abstraction defined by OpenSSL) that supports fragmentation for the sending of traffic. When queried the BIO returns a configured MTU (dtls_mtu in rtp.conf) which informs OpenSSL that it should fragment the packet itself, instead of relying on the TCP/IP layer. Once fragmented the packet is given to Asterisk for sending out. This allows large certificates to be fragmented at the DTLS layer instead of the TCP/IP layer allowing them to work as expected. If you’ve had certificate problems in the past I suggest giving the latest version of Asterisk a try and seeing if they are resolved. If not don’t hesitate to file an issue on the Asterisk issue tracker!