dtls.c: force_renegotiation_info is always set

[mrdeep1]

If a DTLS client talks to a TinyDTLS server, but does not send any renegotiation information (i.e. no TLS_EMPTY_RENEGOTIATION_INFO_SCSV) in the ClientHello, then when the server calls dtls_check_tls_extension(), this returns an error.

dtls_check_tls_extension(...)
....
  if (config->user_parameters.force_renegotiation_info) {
     if (!config->renegotiation_info) {
       goto error;
     }
  }

Found when running a client using wolfSSL.

Any reason why force_renegotiation_infoshould be set for a server?

[boaks]

Could you please explain your case?

I guess this is related to issues #175 and #176 and PR #181.

If the client doesn't support RFC5746 then usually you need to configure your server in an way considered to be "unsecure". So, why do you need to support a client without RFC5746 support?

[boaks]

Just in the case, someone really wants to support "non RFC5746" peers:

Tinydtls uses the dtls_user_parameters_t to configure the behavior. The defaults are here and a user-callback enables to adjust this default values.

[mrdeep1]

I had latched on to renegotiation being dropped for TLS1.3 and did not think this properly through. I have found that I need to call a function in wolfSSL to make things work as expected when talking to TinyDTLS.

[boaks]

Thanks for clarifying.

The pain of the protection against renegotiation attacks is, that is required (at least considered to be required) to use the extension even if renegotiation isn't supported. Therefore it's enabled by default, but may be switched off, if required and the trade offs are clear.