DTLSConnection Id Support

[Codeglitches]

I am submitting a …

• [ ] bug report
• [x] feature request

Description

Connection ID (CID) extension to DTLS is described in RFC 9146 (or draft-ietf-tls-dtls-connection-id-05 for legacy version).

From the mbedtls ssl.h file:

The DTLS CID extension allows the reliable association of DTLS records to DTLS connections across changes in the underlying transport (changed IP and Port metadata) by adding explicit connection identifiers (CIDs) to the headers of encrypted DTLS records. The desired CIDs are configured by the application layer and are exchanged in new ClientHello / ServerHello extensions during the handshake, where each side indicates the CID it wants the peer to use when writing encrypted messages. The CIDs are put to use once records get encrypted: the stack discards any incoming records that don't include the configured CID in their header, and adds the peer's requested CID to the headers of outgoing messages.

The draft (or legacy) version is supported since mbedtls 2.18.0. However the "final" RFC 9146 version is only supported from mbedtls version 3.3.0 onward. Unfortunately, the draft version is not compatible with the final version.

As python-mbeddtls is currently based on the 2.x version of mbedtls, I understand python-mbedtls needs to be ported to the 3.x virsion first. According to issue #46 from July 2021 moving to the 3.x version was in the planning for the future; maybe this could be a reason to make the future happen?

I am interested in helping to add CID support to python-mbedtls, but moving the project to version 3.x of mbedtls will be to much for me.

Current behavior

DTLS CID is not supported

Expected behavior

DTLS CID is supported

[Synss]

Mbedtls 3 support is in progress when I have time.

https://github.com/Synss/python-mbedtls/tree/mbedtls-3.x

It’s actually more work than I expected. I will most likely remove a lot of things from python-mbedtls to concentrate on TLS and DTLS only.