[gnutls-help] PSK DTLS

Sun Mar 19 05:11:21 CET 2023

Hello,

mk <mk at cognitivedissonance.ca> writes:

> Does anyone know of any (gnuTLS) examples of DTLS using PSK?

I tried with gnutls-serv and gnutls-cli with the -u option, and
encountered a crash caused by an incorrect usage of
gnutls_psk_server_get_username in gnutls-cli.  After applying a fix for
that[1], I got it working as below:

  psktool -u test -p passwd.psk
  gnutls-serv -u --pskpasswd=passwd.psk --priority=NORMAL:+ECDHE-PSK:+DHE-PSK:+PSK
  gnutls-cli localhost -u -p 5556 --priority NORMAL:-VERS-TLS1.3:+ECDHE-PSK:+DHE-PSK:+PSK --pskusername test --pskkey $(sed -n 's/^test:\(.*\)/\1/p' passwd.psk)

and it works:

  - Description: (DTLS1.2-X.509)-(ECDHE-SECP256R1)-(CHACHA20-POLY1305)
  - Session ID: 43:82:0A:96:74:20:3E:BA:5A:45:59:B8:ED:AA:4D:D7:18:0B:EB:EE:4B:2A:AE:48:1A:46:29:2F:52:33:85:E2
  - PSK authentication. PSK hint ''
  - Options: extended master secret, safe renegotiation,
  - Handshake was completed

> I am working on a C++ network socket library which wraps gnuTLS (the C
> API); TLS and DTLS are working client and server side using X.509, and
> TLS using PSK.  However, DTLS using PSK fails client side during the
> handshake, after the DTLS cookie is sent, with "A packet with illegal
> or unsupported version was received".

Maybe it might be helpful to look at the diagnostic logs, collected with
GNUTLS_DEBUG_LEVEL.

> Existing examples in the manual and online have been invaluable to me
> with the work up to now, but I have been unable to find any for this.

Footnotes:
[1]  https://gitlab.com/gnutls/gnutls/-/merge_requests/1730

Regards,
-- 
Daiki Ueno