[gnutls-help] DTLS Role Exchange

Simon Bernard contact at simonbernard.eu
Tue Oct 16 16:36:27 CEST 2018


Hi,

I would like to know if this is possible to make gnuTLS works as a DTLS 
client and server on the same address/port? (using PSK, RPK and X509)

Maybe this sounds a bit strange and I will give some context to understand.

I’m working on LWM2M protocol 
<http://openmobilealliance.org/release/LightweightM2M/V1_0_2-20180209-A/OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf> 
which is based on CoAP <https://tools.ietf.org/html/rfc7252> and DTLS. 
LWM2M supports PSK, RPK and X509.

I’m currently searching how to handle server failover in “server 
initiated mode” 
<https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/410>.

Here is a brief explanation of how it works.

 1. The device has an static/fixed IP address/port.
 2. The device establishes DTLS connection.
 3. The device registers to the server (server has also a static/fixed
    IP address/port)
 4. Later, server sends request to a registered client.

If the server still have a DTLS connection to the device there is no issue !
Now imagine the DTLS connection is lost (e.g. crash/reboot), we still 
know the device address (registration is persisted) but we don’t have 
any DTLS connection to it.

So a solution could be to make the LWM2M server act as a DTLS client and 
so the LWM2M device should act as a DTLS server.

Just to let you know, the java scandium 
<https://github.com/eclipse/californium/> library from californium can 
act like this.

Here a wireshark capture done using scandium at device(port 36038) and 
server(port 5684) side. (using PSK)

|No. Time Source Destination SrcPort DesPort Protocol Length Info 1 
0.000000000 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 133 Client Hello 2 
0.000359644 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 102 Hello Verify 
Request 3 0.005001722 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 165 Client 
Hello 4 0.005626495 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 162 Server 
Hello, Server Hello Done 5 0.042162424 127.0.0.1 127.0.0.1 36038 5684 
DTLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted 
Handshake Message 6 0.061195906 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 
109 Change Cipher Spec, Encrypted Handshake Message 7 0.062815631 
127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 179 Application Data (LWM2M 
REGISTER request from device) 8 0.081334961 127.0.0.1 127.0.0.1 5684 
36038 DTLSv1.2 97 Application Data (LWM2M REGISTER response from server) 
9 8.483287786 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 90 Application 
Data (LWM2M READ request from server) 10 8.496936449 127.0.0.1 127.0.0.1 
36038 5684 DTLSv1.2 213 Application Data (LWM2M READ response from 
client) ### LWM2M Server (5684) Reboot and so lost its DTLS connection 
to LWM2M device (36038), ... ### ... LWM2M Server will establish a new 
connection and so act as a DTLS client. 11 24.079310967 127.0.0.1 
127.0.0.1 5684 36038 DTLSv1.2 151 Client Hello 12 24.080362291 127.0.0.1 
127.0.0.1 36038 5684 DTLSv1.2 102 Hello Verify Request 13 24.083452354 
127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 183 Client Hello 14 24.085327257 
127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 162 Server Hello, Server Hello 
Done 15 24.110637371 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 147 Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message 16 
24.111419901 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 109 Change Cipher 
Spec, Encrypted Handshake Message 17 24.113519322 127.0.0.1 127.0.0.1 
5684 36038 DTLSv1.2 92 Application Data (LWM2M READ request from server) 
18 24.114368265 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 108 Application 
Data (LWM2M READ response from client) |

Is mailing list the right way to ask this question ? or should I ask 
this kind of question on gitlab <https://gitlab.com/gnutls/gnutls> ?

Simon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20181016/ef31a281/attachment.html>


More information about the Gnutls-help mailing list