Closed bggov closed 7 months ago
Which peer acts as DTLS client or server (or CoAP client or server), may not match the expectations, if a "role exchange" is used. Californium controls the supported DTLS roles of an peer with DtlsConfig.DTLS_ROLE and supports with DtlsRole: CLIENT_ONLY, SERVER_ONLY and BOTH classic single roles and role exchanges as well. From the past (years ago) I know, that in LwM2M there was discussions, if such an role exchange makes sense or not. AFAIK, leshan is configured to use that "DTLS role exchange" but for more details you may better ask the Leshan project.
Hello @boaks, thank you the quick response and for the advise. Setting the SERVER_ONLY property works for our case
The client is built based on RFC 9147 document, which describes that the client initiates the handshake sending a DTLS ClientHello request to the server, but not the server. That's why the client doesn't handle the server handshake request, but this looks annoying on the client's side.
I think there is a lot of confusion here.
The DTLS specification defines wording :
But this is only DTLS wording.
In you case when you say client in a general way, but I guess you mean LWM2M client. And a LWM2M client doesn't necessarily act as a client for all lower layer.
E.g. :
For DTLS this is less clear, the LWM2M specification v1.0.x says : "The client-server roles of DTLS, which indicate who initiates the DTLS handshake, are independent from the client-server relationship of LwM2M."
LWM2M v1.1.x says : "In LwM2M version 1.1 the LwM2M Client is always the TLS/DTLS client." (But it seems it is only about LWM2M client / LWM2M Bootstrap server relation)
So just to says that RFC 9147 doesn't say anything about who should initiate a handshake at CoAP or LWM2M level.
For a LWM2M client, only LWM2M specification should define this and AFAIK this is still unclear which DTLS role should have a LWM2M client or server. (more discussion about that at : https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/410)
I think there is a lot of confusion here.
That may even start with RFC 9147, while Californium/Scandium implements RFC6347.
Anyway, if someone has doubts about the benefit from initiating handshakes from the LwM2M server (maybe, because the LwM2M client is not able to act as DTLS server), then it may be switched off, if the upper layer allows to do so.
So the main question is, if leshan (the upper layer) supports to run the LwM2M server as DTLS SERVER_ONLY or not. But that's a question for the leshan project and therefore I recommended to ask the leshan project for more details.
That may even start with RFC 9147, while Californium/Scandium implements RFC6347.
Right.
Anyway, if someone has doubts about the benefit from initiating handshakes from the LwM2M server (maybe, because the LwM2M client is not able to act as DTLS server), then it may be switched off, if the upper layer allows to do so.
I agree that role exchange is not always useful. (e.g. In Leshan it is deactivated for Bootstrap Server) And I would be happy to have a better solution than this for https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/410.
So the main question is, if leshan (the upper layer) supports to run the LwM2M server as DTLS SERVER_ONLY or not. But that's a question for the leshan project and therefore I recommended to ask the leshan project for more details.
Short answer : yes it does. You can switch DTLS_ROLE globally when using Californium Endpoint Provider. And you can even do that request by request.
I can also confirm that Leshan support setting DTLS_ROLE or any other Californium properties settings. We're using our own implementation of the Leshan server and it also any Californium properties so we can configure both Leshan and Californium.
In our case the client (I mean LWM2M client, but not Leshan LWM2M) is implemented in a way so it operates only in a client mode. That's why the understanding from client side regarding RFC 9147 is that the client is supposed to send ClientHello handshak requests, but not to handle the same requests sent from the other side. In this case the understanding for the LWM2M server is that it operates from a DTLS perspective only as a server. That's why having the the possibility to set the LWM2M server as a DTLS SERVER_ONLY is an extraordinary feature, and having the possibility to set this trough the Leshan is really great! Thank you again @boaks and @sbernard31 for the support and the followup :+1:
operates only in a client mode.
Just to be precise: any LwM2M client implements also a CoAP-server ;-).
Though UDP doesn't require to stick to a specific client or server role (in opposite to TCP), a implementation may decide to support such a DTLS role exchange or not. The left question is then more, if the ip-layer will transport the ip-message to the other peer and in many network setups, this is only valid for a short period without message exchanges. That's the pain, and therefore the DTLS role exchange isn't used too frequently. Anyway, the most other DTLS implementation are derived from a TLS implementation and therefore they stick to the roles as they are used from TLS and so didn't consider to implement a role exchange. Both, the ip-layer and the TLS-implementation limits then cause, that it is not common.
Thank you again @boaks and @sbernard31 for the support and the followup 👍
You're welcome :slightly_smiling_face:
Both, the ip-layer and the TLS-implementation limits then cause, that it is not common.
Agree with that.
We're running a LWM2M server based on Leshan and Californium. Many of the clients connected to the server are using secured connection trough DTLS, but on some of the clients, maybe because of some network issues, the client suddenly deregisters from the server and immediately terminates the DTLS session. After that the server tries to send a successful deregistration response to the client, but as the client has already closed the DTLS session, this leads Californium to try to do a new handshake with the client.
The client is built based on RFC 9147 document, which describes that the client initiates the handshake sending a DTLS ClientHello request to the server, but not the server. That's why the client doesn't handle the server handshake request, but this looks annoying on the client's side.
Currently I didn't found a proper way to control Californium whether it's has to initiate a DTLS handshake or not. That's why when Californium is running on a server side and DTLS session was closed by the client, I would like to ask you:
Please see also the attached log snippet below:
Information ahead to speed up the processing of issues: