Specific api for setting the DTLS version

[Prashaanth06]

I am trying to figure out if the libcoap library uses DTLS 1.2 or what exactly it uses. I verified from the libcoap code that the minimum version required is set to DTLS1_2_VERSION but what is it exactly.

I have a client code which is almost similar to libcoap_minimal client with DTLS enabled and I have set these based on my requirements, dtls.version = COAP_DTLS_PKI_SETUP_VERSION; dtls.verify_peer_cert = 0; // Verify peer certificate dtls.check_common_ca = 0; // Require a server certificate dtls.allow_self_signed = 1; // Allow self signed certificate dtls.allow_expired_certs = 1; // No expired certificates dtls.cert_chain_validation = 1; // Validate the chain dtls.check_cert_revocation = 0; // Check the revocation list dtls.cert_chain_verify_depth = 2; // Depth of validation. dtls.pki_key.key_type = COAP_PKI_KEY_DEFINE

when I run my client I can see these logs in wireshark from libcoap library,

I understand that these logs are generated by libcoap but is there any log in libcoap where I can get the DTLS version used ?

likewise will I be able to get the DTLS version printed in logs? I am aiming to address these 2 points,

I need to check and confirm the version of dtls being using. Any DTLS connections with a version less than 1.2 should be rejected by the coap dtls server (Here I understand that we have already set the DTLS version to 1.2 using the SSL_CTX_set_min_proto_version API but using a dtls client will I be able to set some specific version so that my server will reject the connection throwing these log that DTLS version is unsupported. Do you see any possibility here).

[mrdeep1]

Unless you are using the wolfSSL TLS library, only DTLS1.2 will get negotiated and used for any DTLS session. This is enforced in the OpenSSL library by calling SSL_CTX_set_min_proto_version().

You can try using OpenSSL's s_client to force different protocol versions against a libcoap server run as examples/coap-server -k 1234.

openssl s_client -dtls1_2 -psk 61626364 -connect 127.0.0.1:5684

As mentioned in #1285,

I don't see why someone cannot come up with a libcoap public API which gives the ability to define min/max (D)TLS versions (stored in coap_context_t). These values are then used when initiating (D)TLS. Whatever is done needs to be generic enough to support the different ways that all the libcoap supported TLS libraries implement the max/min protos.

[Prashaanth06]

Unless you are using the wolfSSL TLS library, only DTLS1.2 will get negotiated and used for any DTLS session. This is enforced in the OpenSSL library by calling SSL_CTX_set_min_proto_version().

How do you say this first statement can I print the DTLS version and check, can I add logs somewhere to check this?

sslv3/TLS is TLS 1.1 if I am not wrong how does it relate to DTLS here could you please explain it's bit confusing for me. I am okay to go with DTLS1.2 I dont want to upgrade but I want to print that somewhere so that I can be sure that I have met my requirement.

[mrdeep1]

Excellent - good detective work.

[Prashaanth06]

I am trying to set the client min_proto version to DTLS1_version and server min_proto_version to DTLS1_2_version. My expectation here is when client request server with DTLS1_version server should reject in the handshake part itself and session should end. But what's happening here is little weird,

Server logs:

Jul 12 05:59:04.807 DEBG created DTLS endpoint 127.0.0.1:9909 MOSS:::: before coap_handle_dgram_for_proto Jul 12 05:59:23.895 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: session 0x5b8b20: new incoming session Jul 12 05:59:23.896 DEBG EVENT: COAP_EVENT_SERVER_SESSION_NEW Jul 12 05:59:23.896 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: recv 267 bytes Jul 12 05:59:23.896 INFO 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: recv 267 bytes ::::: pkt: þÿ, coap_read_endpoint 16 fe ff 0 0 0 0 0 0 0 0 0 fe 1 0 0 f2 0 0 0 0 0 0 0 f2 fe fd 2b 3c 22 12 9 98 31 a8 35 e8 21 36 9d 86 ea d1 69 30 bb f f 16 7f a4 bd 55 e0 b5 8a aa b 81 0 0 0 70 c0 2c c0 30 0 a3 0 9f cc a9 cc a8 cc aa c0 af c0 ad c0 a3 c0 9f c0 5d c0 61 c0 57 c0 53 c0 2b c0 2f 0 a2 0 9e c0 ae c0 ac c0 a2 c0 9e c0 5c c0 60 c0 56 c0 52 c0 24 c0 28 0 6b 0 6a c0 73 c0 77 0 c4 0 c3 c0 23 c0 27 0 67 0 40 c0 72 c0 76 0 be 0 bd 0 9d c0 a1 c0 9d c0 51 0 9c c0 a0 c0 9c c0 50 0 3d 0 c0 0 3c 0 ba 0 ff 1 0 0 58 0 b 0 4 3 0 1 2 0 a 0 c 0 a 0 1d 0 17 0 1e 0 19 0 18 0 23 0 0 0 16 0 0 0 17 0 0 0 d 0 30 0 2e 4 3 5 3 6 3 8 7 8 8 8 9 8 a 8 b 8 4 8 5 8 6 4 1 5 1 6 1 3 3 2 3 3 1 2 1 3 2 2 2 4 2 5 2 6 2 Jul 12 05:59:23.900 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: sent 60 bytes MOSS:::: before coap_handle_dgram_for_proto Jul 12 05:59:24.902 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: recv 299 bytes Jul 12 05:59:24.903 INFO 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: recv 299 bytes ::::: pkt: þÿ, coap_read_endpoint 16 fe ff 0 0 0 0 0 0 0 1 1 1e 1 0 1 12 0 1 0 0 0 0 1 12 fe fd 2b 3c 22 12 9 98 31 a8 35 e8 21 36 9d 86 ea d1 69 30 bb f f 16 7f a4 bd 55 e0 b5 8a aa b 81 0 20 4 f7 da 3 e7 35 db 59 af d5 66 d3 3f 2d 53 fa 81 18 ed 5d e7 81 ef d9 4b 5d 8c fd 2c 1 d6 4f 0 70 c0 2c c0 30 0 a3 0 9f cc a9 cc a8 cc aa c0 af c0 ad c0 a3 c0 9f c0 5d c0 61 c0 57 c0 53 c0 2b c0 2f 0 a2 0 9e c0 ae c0 ac c0 a2 c0 9e c0 5c c0 60 c0 56 c0 52 c0 24 c0 28 0 6b 0 6a c0 73 c0 77 0 c4 0 c3 c0 23 c0 27 0 67 0 40 c0 72 c0 76 0 be 0 bd 0 9d c0 a1 c0 9d c0 51 0 9c c0 a0 c0 9c c0 50 0 3d 0 c0 0 3c 0 ba 0 ff 1 0 0 58 0 b 0 4 3 0 1 2 0 a 0 c 0 a 0 1d 0 17 0 1e 0 19 0 18 0 23 0 0 0 16 0 0 0 17 0 0 0 d 0 30 0 2e 4 3 5 3 6 3 8 7 8 8 8 9 8 a 8 b 8 4 8 5 8 6 4 1 5 1 6 1 3 3 2 3 3 1 2 1 3 2 2 2 4 2 5 2 6 2 Jul 12 05:59:24.906 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:before SSL initialization Jul 12 05:59:24.906 Debg Read: read header , SSL_client_version: 131071, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.907 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:before SSL initialization Jul 12 05:59:24.907 Debg Read: read header , SSL_client_version: 131071, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.911 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: Using PKI ciphers Jul 12 05:59:24.913 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:SSLv3/TLS read client hello Jul 12 05:59:24.913 Debg Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.913 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:SSLv3/TLS write server hello Jul 12 05:59:24.913 Debg Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.914 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:SSLv3/TLS write certificate Jul 12 05:59:24.914 Debg Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.951 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: sent 1152 bytes Jul 12 05:59:24.952 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:SSLv3/TLS write key exchange Jul 12 05:59:24.952 Debg Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:24.953 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: sent 108 bytes Jul 12 05:59:24.953 Debg 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: SSL_accept:SSLv3/TLS write server done Jul 12 05:59:24.953 Debg * Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:25.955 DEBG * 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: DTLS retransmit timeout Jul 12 05:59:25.955 DEBG 127.0.0.1:9909 <-> 127.0.0.1:40186 (if1) DTLS: netif: sent 86 bytes

Client logs: Jul 12 05:59:23.614 DEBG 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: new outgoing session Jul 12 05:59:23.616 Debg 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: SSL_connect:before SSL initialization Jul 12 05:59:23.617 Debg libcoap-5Read: read header , SSL_client_version: 131071, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:23.620 DEBG 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: netif: sent 267 bytes Jul 12 05:59:23.621 Debg 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: SSL_connect:SSLv3/TLS write client hello Jul 12 05:59:23.621 Debg libcoap-5Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 v:1 t:CON c:GET i:b02f {} [ Uri-Path:/api/remote ] Jul 12 05:59:23.622 DEBG 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: mid=0xb02f: delayed Jul 12 05:59:23.901 DEBG 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: netif: recv 60 bytes Jul 12 05:59:23.902 Debg 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: SSL_connect:SSLv3/TLS write client hello Jul 12 05:59:23.902 Debg libcoap-5Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:23.902 Debg 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: SSL_connect:DTLS1 read hello verify request Jul 12 05:59:23.903 Debg libcoap-5Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 05:59:23.904 DEBG 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: netif: sent 299 bytes Jul 12 05:59:23.904 Debg 127.0.0.1:40186 <-> 127.0.0.1:9909 DTLS: SSL_connect:SSLv3/TLS write client hello Jul 12 05:59:23.904 Debg libcoap-5Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277

I dont understand what is 131071 because I have set client version to DTLS1_version which is 65279 and in next it changes to DTLS1_2_version which is 65277 from where is the change happening.

I tried to run the client without the server still the change in version happens,

Jul 12 06:14:42.380 DEBG 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: new outgoing session Jul 12 06:14:42.382 Debg 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: SSL_connect:before SSL initialization Jul 12 06:14:42.383 Debg libcoap-5Read: read header , SSL_client_version: 131071, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 Jul 12 06:14:42.386 DEBG 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: netif: sent 267 bytes Jul 12 06:14:42.387 Debg 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: SSL_connect:SSLv3/TLS write client hello Jul 12 06:14:42.389 Debg libcoap-5Read: read header , SSL_client_version: 65277, SSL_get_version: DTLSv1.2, SSL_is_dtls: 1, SSL_version:65277 v:1 t:CON c:GET i:e508 {} [ Uri-Path:/api ] Jul 12 06:14:42.391 DEBG 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: mid=0xe508: delayed Jul 12 06:14:42.392 WARN ** 127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: coap_socket_recv: ICMP: Connection refused Jul 12 06:14:42.393 DEBG ***127.0.0.1:56477 <-> 127.0.0.1:9909 DTLS: session issue (COAP_NACK_ICMP_ISSUE)

[mrdeep1]

131071 is 0x1ffff. As per openssl source

/* Special value for method supporting multiple versions */
# define DTLS_ANY_VERSION                0x1FFFF

this means the version has not been decided yet.

DTLS 1.1 never happened as per RFC6347 1. Introduction.

Furthermore, the CoAP base RFC 7252 refers to RFC6347 for use of DTLS RFC 7252 1.1 Features. So, DTLS 1.0 (nor the never happened DTLS1.1) is not supported for CoAP.