Closed kkonieczny-avs closed 2 weeks ago
Yes,
if (clientExtensions == null || clientExtensions.isEmpty()) {
throw new HandshakeException("Server wants extensions, but client not!",
new AlertMessage(AlertLevel.FATAL, AlertDescription.UNSUPPORTED_EXTENSION));
} else {
for (HelloExtension serverExtension : serverExtensions.getExtensions()) {
if (clientExtensions.getExtension(serverExtension.getType()) == null) {
if (serverExtension.getType() == HelloExtension.ExtensionType.RENEGOTIATION_INFO) {
hasRenegotiationInfoExtension = true;
if (secureRenegotiation != DtlsSecureRenegotiation.NONE) {
continue;
}
}
throw new HandshakeException(
"Server wants " + serverExtension.getType() + ", but client didn't propose it!",
new AlertMessage(AlertLevel.FATAL, AlertDescription.UNSUPPORTED_EXTENSION));
}
}
}
In the case of empty client extensions, the special handling of RENEGOTIATION_INFO isn't applied ;-). Requires an fix.
As workaround, please enable the extended master secret extension.
# DTLS extended master secret mode.
# [NONE, OPTIONAL, ENABLED, REQUIRED].
# Default: ENABLED
DTLS.EXTENDED_MASTER_SECRET_MODE=ENABLED
Or enable the DTLS CID extension ;-).-
See PR #2262
If possible, please retest with that PR.
It works for me, thank you.
You're welcome.
Any request, when the fix should be released (Minor or Bugfix)?
I would prefer BUGFIX, but if it's a problem MINOR will be sufficient.
It's more a question about the timeline ...
Anyway, though you found the next ... I consider to postpone it after we have a couple of fixes collected ;-).
The minor release is scheduled, see issue #2285
I am using californium client and server in version 3.12.1. An error occurs if the client sends no extensions in ClientHello, but requests secure renegotiation by adding TLS_EMPTY_RENEGOTIATION_INFO_SCSV to cipher suites. The server will add secure_renegotiation extension to ServerHello as requested, but the client will throw unsupported extension error and terminate the connection. Both client and server are using DtlsSecureRenegotiation.WANTED. I believe this error is thrown in ClientHandshaker.java in line 497. I have zipped .pcapng file, because github doesn't support this extension. secure_renegotation_bug.pcapng.zip