[gnutls-devel] GnuTLS | DTLS 1.2 Hello Verify Request from coaps Server ignored by libcoap client with GnuTLS (#960)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Fri Mar 27 16:05:45 CET 2020
Pieter Hameete created an issue: https://gitlab.com/gnutls/gnutls/-/issues/960
## Description of problem:
When using libcoap example client built with GnuTLS against a Californium + Scandium COAP Server the DTLS handshake can not be completed. We are using one-way authentication with x509 certificates (issued by Lets Encrypt via DNS01 ACME). Investigation of the Wireshark logs [showed several issues](https://github.com/eclipse/californium/issues/1260#issuecomment-604958705) on the client side (backed by GnuTLS):
* the first CLIENT_HELLO use a Random of 32 \0 bytes, Cookie field MUST be empty.
* CLIENT_HELLO should be retransmitted using same parameters + the cookie in HELLO_VERIFY, in the capture Random change all the time. (see https://tools.ietf.org/html/rfc6347#section-4.2.1)
Note that the libcoap example client with openssl as DTLS library can complete the handshake, as do the Californium Java client, and the go-coap client.
## Version of gnutls used:
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
## How reproducible:
Build libcoap with GnuTLS following the instructions here: https://libcoap.net/install.html
`./examples/coap-client -m get -v 9 "coaps://coap.blockbax.com"`
Alternatively, inspect my Wireshark pcaps:
* [Example failure libcoap-oneway-x509-gnutls.pcap](/uploads/d22f5aac77278a2e1e5adf26bef00b2a/libcoap-oneway-x509-gnutls.pcap)
* [Example success libcoap-oneway-x509-openssl-working.pcap](/uploads/6cb1711722be37b90109ab1368301e41/libcoap-oneway-x509-openssl-working.pcap)
## Actual results:
libcoap example client with GnuTLS as DTLS library ignores Hello Verify Requests from Server and keeps retrying.
## Expected results:
libcoap example client iwth GnuTLS as DTLS library completes DTLS handshake succesfully similar to other clients.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/960
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel