Californium DTLS failed to handshake

[hlkn]

Question

Here is my test setup for two scenarios:

I did test for both release versions:

1.5.0 and 2.0.0-M16

And the sam result happened on both releases.

May you help if configuration to DTLS so that the BS server will not interfere with the Registration Update.

I am looking forward to hear from and Thank for your help in advanced. Henry Nguyen

1. BS and DM application run on different servers: DID NOT work BS Server (bootstrap) run on bs.local=192..68.68.57/wp=8080/lp=5683/slp=5684 BS is configured to support Id=IOTS-01 PSK=1A2B3C4D and coaps://bs.local:5684/coaps://dm.local:5684

DM server (Device Management runs on dm.local=192.168.68.58/lp=5683/slp=5684 DM is configured to support Id=IOTS-01 PSK=1A2B3C4D

DTLS for bootstrap works DTLS for registration update failed. It the Client IOTS-01 send Client Hello but the BS sends Hello Verify to IOTS-01. The Client IOTS-01 expects the DM to send the Hello Verify.

2. BS and DM application run on the same server: work BS Server (bootstrap) run on bs.local=192..68.68.57/wp=8080/lp=5683/slp=5684 BS is configured to support Id=IOTS-01 PSK=1A2B3C4D and coaps://bs.local:6684/coaps://dm.local:6684

DM server (Device Management runs on bs.local=192.168.68.57/wp=9080/lp=6683/slp=6684 DM is configured to support Id=IOTS-01 PSK=1A2B3C4D

DTLS for bootstrap works DTLS for registration update works. It the Client IOTS-01 send Client Hello and the DM sends Hello Verify to IOTS-01.

LeshanPoCSetup.pdf

captureinpcapngaa.zip captureinpcapngab.zip captureinpcapngac.zip

[sbernard31]

Hi,

1. Why using 2.0.0-M6 and not most recent one ?
2. Which client are you using ?

I try to donwload your captures but :

• 22 Mo for a capture about a simple use case like this ... .

• try to open the smaller one 1.2 Mo : file in the archive has no extensions and does not work with wireshark.

  Please provide more clean captures :pray:

  Using same ID/PSK for bootstrap server and dm server is OK for test but not really a good idea in production.

[hlkn]

Hi Leshan Gatekeepers,

1. "Why using 2.0.0-M6 and not most recent one ?" I am using 2.0.0-M16 and I also using 1.5.0. Both releases behave the same that is DTLS shaking failed.

2 "Which client are you using?" I am using the lesion-demo-client code provided.

3. "Using same ID/PSK for bootstrap server and dm server is OK for test but not really a good idea in production" - Thank you for remind about using different PSK ID/KEY for Production.

4. I will provide you better Wireshark capture.

5. Do you have a chance to look at the PDF file with few diagrams to illustrate the issue. I am sure that DTLS failed to handshake. Why? it is because if I set up both Bootstrap application and Device Management application running in the same server. Everything works fine but If I set up Bootstrap application and Device Management application the Bootstrap will interfere with the DTLS process. I will try to set up another scenarios where the PSK ID/KEY will be different for Bootstrap and Device Management if possible.

Regards, Henry

[hlkn]

Hi Leshan Gatekeepers,

Here is my Wireshark file.

capturefile.pcapng.zip

Regards, Henry

PS. I used the same file but apply filter like coap port 5683 and coaps port 5684.

[sbernard31]

Just to let you know, it is not recommended to use 2.0.0-M6 for security reason. See : https://github.com/eclipse-leshan/leshan/security/policy#versions-security-state

As you said, the source address IP of HELLO_VERIFY_REQUEST seems not good. You get the capture at client side right ? My guess this is a network configuration issue and this is not related to Leshan or Scandium (the DTLS library used).

I will try to set up another scenarios where the PSK ID/KEY will be different for Bootstrap and Device Management if possible.

I doubt this will solve the issue.

Just to be sure, I tested with a leshan-client-demo 1.5.0 on Leshan sandbox and it works as expected :

❯ java -jar leshan-client-demo-1.5.0.jar  -n "IOTS-01" -i "IOTS-01" -p "1A2B3C4D" -b -u "leshan.eclipseprojects.io:5784"                                                                            

2024-11-15 11:22:53,850 INFO LeshanClientDemo - Commands available :

  - create <objectId> : to enable a new object.
  - delete <objectId> : to disable a new object.
  - update : to trigger a registration update.
  - w : to move to North.
  - a : to move to East.
  - s : to move to South.
  - d : to move to West.

2024-11-15 11:22:53,851 INFO LeshanClient - Starting Leshan client ...
2024-11-15 11:22:53,858 INFO LeshanClient - Leshan client[endpoint:IOTS-01] started.
2024-11-15 11:22:53,858 INFO DefaultRegistrationEngine - Trying to start bootstrap session to coaps://leshan.eclipseprojects.io:5784 ...
2024-11-15 11:22:54,490 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://leshan.eclipseprojects.io:5784 at coaps://[0:0:0:0:0:0:0:0]:46774
2024-11-15 11:22:54,522 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ...
2024-11-15 11:22:54,794 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : SUCCEED
2024-11-15 11:22:54,874 INFO DefaultRegistrationEngine - Bootstrap started
2024-11-15 11:22:55,077 DEBUG Security - Write on Security resource /0/0/0
2024-11-15 11:22:55,077 DEBUG Security - Write on Security resource /0/0/1
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/2
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/3
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/4
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/5
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/6
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/7
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/8
2024-11-15 11:22:55,078 DEBUG Security - Write on Security resource /0/0/9
2024-11-15 11:22:55,079 DEBUG Security - Write on Security resource /0/0/11
2024-11-15 11:22:55,079 DEBUG Security - Write on Security resource /0/0/12
2024-11-15 11:22:55,157 DEBUG Security - Write on Security resource /0/1/0
2024-11-15 11:22:55,157 DEBUG Security - Write on Security resource /0/1/1
2024-11-15 11:22:55,158 DEBUG Security - Write on Security resource /0/1/2
2024-11-15 11:22:55,158 DEBUG Security - Write on Security resource /0/1/3
2024-11-15 11:22:55,158 DEBUG Security - Write on Security resource /0/1/4
2024-11-15 11:22:55,159 DEBUG Security - Write on Security resource /0/1/5
2024-11-15 11:22:55,159 DEBUG Security - Write on Security resource /0/1/6
2024-11-15 11:22:55,159 DEBUG Security - Write on Security resource /0/1/7
2024-11-15 11:22:55,160 DEBUG Security - Write on Security resource /0/1/8
2024-11-15 11:22:55,160 DEBUG Security - Write on Security resource /0/1/9
2024-11-15 11:22:55,161 DEBUG Security - Write on Security resource /0/1/10
2024-11-15 11:22:55,161 DEBUG Security - Write on Security resource /0/1/11
2024-11-15 11:22:55,161 DEBUG Security - Write on Security resource /0/1/12
2024-11-15 11:22:55,232 DEBUG Server - Write on Server resource /1/0/0
2024-11-15 11:22:55,233 DEBUG Server - Write on Server resource /1/0/1
2024-11-15 11:22:55,233 DEBUG Server - Write on Server resource /1/0/2
2024-11-15 11:22:55,234 DEBUG Server - Write on Server resource /1/0/6
2024-11-15 11:22:55,234 DEBUG Server - Write on Server resource /1/0/7
2024-11-15 11:22:55,380 INFO DefaultRegistrationEngine - Bootstrap finished coaps://leshan.eclipseprojects.io:5784.
2024-11-15 11:22:55,384 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://leshan.eclipseprojects.io:5684 at coaps://[0:0:0:0:0:0:0:0]:39580
2024-11-15 11:22:55,385 INFO DefaultRegistrationEngine - Trying to register to coaps://leshan.eclipseprojects.io:5684 ...
2024-11-15 11:22:55,388 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ...
2024-11-15 11:22:55,560 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : SUCCEED
2024-11-15 11:22:55,614 INFO DefaultRegistrationEngine - Registered with location '/rd/FudLE87GM6'.
2024-11-15 11:22:55,615 INFO DefaultRegistrationEngine - Next registration update to coaps://leshan.eclipseprojects.io:5684 in 53s...
2024-11-15 11:23:00,721 INFO LeshanClient - Destroying Leshan client ...
2024-11-15 11:23:00,722 INFO DefaultRegistrationEngine - Trying to deregister to coaps://leshan.eclipseprojects.io:5684 ...
2024-11-15 11:23:00,778 INFO DefaultRegistrationEngine - De-register response DELETED null.
2024-11-15 11:23:00,781 INFO LeshanClient - Leshan client destroyed.

[hlkn]

Hi Leshan Gatekeepers,

I am not sure why you keep on saying that "Just to let you know, it is not recommended to use 2.0.0-M6 for security reason. See : https://github.com/eclipse-leshan/leshan/security/policy#versions-security-state"

I am using the lesion-2.0.0-M16 (M16 sixteen not M6 six).

I believe that the problem may be happening at the registration update not at the bootstrap. The client performs the bootstrap operation correctly but when the client performs registration update the DTLS fails to function because the bootstrap server interferes with the DTLS in shaking, please refer to the PDF document for the setup and Wireshark trace to see the DTLS failure.

bs.local=192.168.68.57 dm.local=192.168.68.58 iots-01=192.168.68.51

    No.     Time                            Source                                        Destination                                 Protocol Length Info

6431 12.156966      192.168.68.51         192.168.68.57         DTLSv1.2 119    Client Hello

6432 12.162438 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request 6433 12.164259 192.168.68.51 192.168.68.57 DTLSv1.2 151 Client Hello 6434 12.165444 192.168.68.57 192.168.68.51 DTLSv1.2 162 Server Hello, Server Hello Done 6435 12.184449 192.168.68.51 192.168.68.57 DTLSv1.2 143 Client Key Exchange, Change Cipher Spec, Finished 6436 12.192381 192.168.68.57 192.168.68.51 DTLSv1.2 109 Change Cipher Spec, Finished 6437 12.193665 192.168.68.51 192.168.68.57 CoAP 105 CON, MID:24550, POST, TKN:34 a4 59 57 23 19 38 d8, /bs?pct=112&ep=IOTS-01 6438 12.195977 192.168.68.57 192.168.68.51 CoAP 83 ACK, MID:24550, 2.04 Changed, TKN:34 a4 59 57 23 19 38 d8, /bs 6439 12.197246 192.168.68.57 192.168.68.51 CoAP 85 CON, MID:63682, DELETE, TKN:f0 a3 81 eb 66 4a 6c ad, /0 6440 12.203849 192.168.68.51 192.168.68.57 CoAP 83 ACK, MID:63682, 2.02 Deleted, TKN:f0 a3 81 eb 66 4a 6c ad, /0 6443 12.211932 192.168.68.57 192.168.68.51 CoAP 85 CON, MID:63683, DELETE, TKN:d8 54 cb e5 82 8e ec 58, /1 6444 12.212601 192.168.68.51 192.168.68.57 CoAP 83 ACK, MID:63683, 2.02 Deleted, TKN:d8 54 cb e5 82 8e ec 58, /1 6445 12.222322 192.168.68.57 192.168.68.51 CoAP 157 CON, MID:63684, PUT, TKN:14 c3 c4 fb ef 70 5c 20, /0/0 6446 12.227191 192.168.68.51 192.168.68.57 CoAP 83 ACK, MID:63684, 2.04 Changed, TKN:14 c3 c4 fb ef 70 5c 20, /0/0 6447 12.244935 192.168.68.57 192.168.68.51 CoAP 157 CON, MID:63685, PUT, TKN:1c e2 5a 3e 82 c8 44 cd, /0/1 6448 12.247268 192.168.68.51 192.168.68.57 CoAP 83 ACK, MID:63685, 2.04 Changed, TKN:1c e2 5a 3e 82 c8 44 cd, /0/1 6449 12.251552 192.168.68.57 192.168.68.51 CoAP 107 CON, MID:63686, PUT, TKN:20 98 9f 39 aa ab 2d ce, /1/0 6450 12.252736 192.168.68.51 192.168.68.57 CoAP 83 ACK, MID:63686, 2.04 Changed, TKN:20 98 9f 39 aa ab 2d ce, /1/0 6451 12.257932 192.168.68.57 192.168.68.51 CoAP 86 CON, MID:63687, POST, TKN:78 b3 4e 12 bc be 7e df, /bs 6458 12.259032 192.168.68.51 192.168.68.57 CoAP 75 ACK, MID:63687, Empty Message 6459 12.260470 192.168.68.51 192.168.68.57 CoAP 83 CON, MID:24551, 2.04 Changed, TKN:78 b3 4e 12 bc be 7e df, /bs 6460 12.263188 192.168.68.57 192.168.68.51 CoAP 75 ACK, MID:24551, Empty Message 6527 17.289198 192.168.68.51 192.168.68.58 DTLS 119 Client Hello 6528 17.289770 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request 6551 19.295199 192.168.68.51 192.168.68.58 DTLS 119 Client Hello 6552 19.296286 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request

Bootstrap operation works fine 6431 12.156966 192.168.68.51 192.168.68.57 DTLSv1.2 119 Client Hello 6432 12.162438 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request 6433 12.164259 192.168.68.51 192.168.68.57 DTLSv1.2 151 Client Hello 6434 12.165444 192.168.68.57 192.168.68.51 DTLSv1.2 162 Server Hello, Server Hello Done

After successfully bootstrap the client will perform registration update. That is when the DTLS operation fails 6527 17.289198 192.168.68.51 192.168.68.58 DTLS 119 Client Hello // Client says Hello to the dm.local 6528 17.289770 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request // Bootstrap says Hello Verify Request -- It should be the DeviceManagement says Hello Verify Request 6551 19.295199 192.168.68.51 192.168.68.58 DTLS 119 Client Hello // Client now says Hello to the Bootstrap 6552 19.296286 192.168.68.57 192.168.68.51 DTLSv1.2 102 Hello Verify Request // Bootstrap says Hello Verify Request to the Client.

I will capture the Wireshark on the client for you.

Regards, Henry