search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
25.89k stars 10.14k forks source link

DTLS server does not respond to retransmitted "Client Hello" #18635

Closed mniestroj closed 2 years ago

mniestroj commented 2 years ago

Version: 20af01d46ca4086f6b1339b67c15c81d8b4a040d (4 commits before OpenSSL_1_1_1p)

In order to reproduce the issue, use https://github.com/mniestroj/openssl/tree/reproduce-dtls-handshake-deadlock or just apply https://github.com/mniestroj/openssl/commit/b314ee46815c10d52c94f1f13afd67035edcb91e commit, which simulates dropping reply to first "Client Hello" packet (this means that client does not receive response to "Client Hello" and continues retransmitting it).

$ apps/openssl s_server -dtls1_2 -accept 192.0.2.2:5684 -psk_identity mark-one-id@one -psk 3172306e6d406e -cipher PSK-AES128-CCM8 -nocert -security_debug_verbose
Using default temp DH parameters
ACCEPT

Security callback: Version=???: yes
Security callback: Version=???: yes
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 0 (s->statem.hand_state 0)
Don't send this message!
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)

Recurring comparing msg_hdr.seq 0 ... messages are printed whenever new retransmitted "Client Hello" message is received. Unfortunately openssl treats that message as invalid. It looks like handling of retransmitted "Client Hello" is not handled correctly.

mbedTLS based DTLS client was used, though it should be reproducible with any DTLS client.

See that "Client Hello" messages are visible in Wireshark as well: wireshak_openssl

This is quite severe bug, because restarting client (or starting new handshake) does not solve the issue and this means that there is persistent deadlock for such client. A workaround was developed, which seems to solve the issue: https://github.com/mniestroj/openssl/commit/18ad4353e8b5f35d05e742097e416b8d6a0d3f6d. After applying this workaround, DTLS server properly continues:

$ apps/openssl s_server -dtls1_2 -accept 192.0.2.2:5684 -psk_identity mark-one-id@one -psk 3172306e6d406e -cipher PSK-AES128-CCM8 -nocert -security_debug_verbose
Using default temp DH parameters
ACCEPT
Security callback: Version=???: yes
Security callback: Version=???: yes
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 0 (s->statem.hand_state 0)
Don't send this message!
comparing msg_hdr.seq 0 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
special case for handling Client Hello retransmit 1 21
comparing msg_hdr.seq 1 s->d1->handshake_read_seq 1 (s->statem.hand_state 21)
Security callback: Version=???: yes
Security callback: : yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp521r1_sha512, security bits=256: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha512, security bits=256: yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp384r1_sha384, security bits=192: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha384, security bits=192: yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha256, security bits=128: yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp521r1_sha512, security bits=256: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha512, security bits=256: yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp384r1_sha384, security bits=192: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha384, security bits=192: yes
Security callback: Shared Signature Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128: yes
Security callback: Shared Signature Algorithm scheme=rsa_pkcs1_sha256, security bits=128: yes
Security callback: Shared Ciphersuite=PSK-AES128-CCM8, security bits=128: yes
comparing msg_hdr.seq 2 s->d1->handshake_read_seq 2 (s->statem.hand_state 26)
comparing msg_hdr.seq 3 s->d1->handshake_read_seq 3 (s->statem.hand_state 31)
-----BEGIN SSL SESSION PARAMETERS-----
...
t8m commented 2 years ago

@bernd-edlinger was recently looking at DTLS so perhaps he could comment?

bernd-edlinger commented 2 years ago

That is a limitation of the s_server command. It does only allow one single connection at a time. Try to use the -timeout option as a workaround, to allow the s_server to disconnect after a timeout is detected. 'openssl s_server -dtls -timeout` should work.

mattcaswell commented 2 years ago

That is a limitation of the s_server command.

No. There is a real bug here. I have it replicated locally. Still looking at it.

bernd-edlinger commented 2 years ago

Oh, yeah, You are of course right. What I tired was this: ./openssl s_server -dtls -trace vs. ./openssl s_client -dtls press CTRL-C after connection established. and now see the next ./openssl s_client -dtls is stuck. but that does not happen when I do ./openssl s_server -dtls -trace -timeout ./openssl s_client -dtls press CTRL-C after connection established. and now see the next ./openssl s_client -dtls is not stuck. BUT that is in itself a bug: because the server does this:

-- client killed with CTRL-C and new client connects now:
Received Record
Header:
  Version = DTLS 1.0 (0xfeff)
  epoch=0, sequence_number=000000000000
  Content Type = Handshake (22)
  Length = 216
Received Record
Header:
  Version = UNKNOWN (0x0)
  epoch=52224, sequence_number=000000000000
  Content Type = UNKNOWN (1)
  Length = 52478
Received Record
Header:
  Version = UNKNOWN (0x5e96)
  epoch=31756, sequence_number=32a777a71f95
  Content Type = UNKNOWN (253)
  Length = 62987
Received Record
Header:
  Version = UNKNOWN (0x200c)
  epoch=7619, sequence_number=5d03ade855d7
  Content Type = UNKNOWN (78)
  Length = 45249
Received Record
Header:
  Version = UNKNOWN (0x3354)
  epoch=24123, sequence_number=f84600000038
  Content Type = UNKNOWN (103)
  Length = 49196
Received Record
Header:
  Version = UNKNOWN (0x3000)
  epoch=40908, sequence_number=a9cca8ccaac0
  Content Type = UNKNOWN (192)
  Length = 11200
Received Record
Header:
  Version = UNKNOWN (0x9e)
  epoch=49188, sequence_number=c028006bc023
  Content Type = UNKNOWN (47)
  Length = 49191
Received Record
Header:
  Version = UNKNOWN (0x67c0)
  epoch=2752, sequence_number=140039c009c0
  Content Type = UNKNOWN (0)
  Length = 4864
Received Record
Header:
  Version = UNKNOWN (0x9d)
  epoch=156, sequence_number=003d003c0035
  Content Type = UNKNOWN (51)
  Length = 47
Received Record
Header:
  Version = UNKNOWN (0xff01)
  epoch=0, sequence_number=6a0000000e00
  Content Type = UNKNOWN (0)
  Length = 3072
Received Record
Header:
  Version = UNKNOWN (0x96c)
  epoch=28515, sequence_number=616c686f7374
  Content Type = UNKNOWN (0)
  Length = 11
Received Record
Header:
  Version = UNKNOWN (0x403)
  epoch=1, sequence_number=02000a000c00
  Content Type = UNKNOWN (0)
  Length = 2560
Received Record
Header:
  Version = UNKNOWN (0x17)
  epoch=30, sequence_number=001900180023
  Content Type = UNKNOWN (29)
  Length = 0
Received Record
Header:
  Version = UNKNOWN (0x1600)
  epoch=0, sequence_number=170000000d00
  Content Type = UNKNOWN (0)
  Length = 12288
Received Record
Header:
  Version = UNKNOWN (0x403)
  epoch=1283, sequence_number=060308070808
  Content Type = UNKNOWN (46)
  Length = 2074
Received Record
Header:
  Version = UNKNOWN (0x1b08)
  epoch=7176, sequence_number=09080a080b08
  Content Type = UNKNOWN (8)
  Length = 1032
Received Record
Header:
  Version = UNKNOWN (0x806)
  epoch=1025, sequence_number=050106010303
  Content Type = UNKNOWN (5)
  Length = 769
ERROR
4087BBE62C7F0000:error:0680009F:asn1 encoding routines:(unknown function):unexpected eoc:crypto/asn1/tasn_dec.c:401:Type=X509_CINF
4087BBE62C7F0000:error:0688010A:asn1 encoding routines:(unknown function):nested asn1 error:crypto/asn1/tasn_dec.c:685:Field=cert_info, Type=X509
shutting down SSL
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=1, sequence_number=000000000001
  Content Type = Alert (21)
  Length = 26
    Level=warning(1), description=close notify(0)

CONNECTION CLOSED
Received Record
Header:
  Version = DTLS 1.0 (0xfeff)
  epoch=0, sequence_number=000000000001
  Content Type = Handshake (22)
  Length = 216
    ClientHello, Length=204
    message_seq=0, fragment_offset=0, fragment_length=204
      client_version=0xfefd (DTLS 1.2)
      Random:
        gmt_unix_time=0x5E967C0C
        random_bytes (len=28): 32A777A71F95F60B4E200C1DC35D03ADE855D7B0C16733545E3BF846
      session_id (len=0): 
      cookie (len=0): 
      cipher_suites (len=56)
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      compression_methods (len=1)
        No Compression (0x00)
      extensions, length = 106
        extension_type=server_name(0), length=14
          0000 - 00 0c 00 00 09 6c 6f 63-61 6c 68 6f 73 74      .....localhost
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=supported_groups(10), length=12
          ecdh_x25519 (29)
          secp256r1 (P-256) (23)
          ecdh_x448 (30)
          secp521r1 (P-521) (25)
          secp384r1 (P-384) (24)
        extension_type=session_ticket(35), length=0
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
        extension_type=signature_algorithms(13), length=48
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
          ed25519 (0x0807)
          ed448 (0x0808)
          ecdsa_brainpoolP256r1_sha256 (0x081a)
          ecdsa_brainpoolP384r1_sha384 (0x081b)
          ecdsa_brainpoolP512r1_sha512 (0x081c)
          rsa_pss_pss_sha256 (0x0809)
          rsa_pss_pss_sha384 (0x080a)
          rsa_pss_pss_sha512 (0x080b)
          rsa_pss_rsae_sha256 (0x0804)
          rsa_pss_rsae_sha384 (0x0805)
          rsa_pss_rsae_sha512 (0x0806)
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
          ecdsa_sha224 (0x0303)
          rsa_pkcs1_sha224 (0x0301)
          dsa_sha224 (0x0302)
          dsa_sha256 (0x0402)
          dsa_sha384 (0x0502)
          dsa_sha512 (0x0602)

Sent Record
Header:
  Version = DTLS 1.0 (0xfeff)
  epoch=0, sequence_number=000000000000
  Content Type = Handshake (22)
  Length = 35
    HelloVerifyRequest, Length=23
    message_seq=0, fragment_offset=0, fragment_length=23
      server_version=0xfeff (DTLS 1.0)
      cookie (len=20): DBDB1FA7E5DA2817AFCC1D43F555D83ECFD4F040

Received Record
Header:
  Version = DTLS 1.0 (0xfeff)
  epoch=0, sequence_number=000000000002
  Content Type = Handshake (22)
  Length = 236
    ClientHello, Length=224
    message_seq=1, fragment_offset=0, fragment_length=224
      client_version=0xfefd (DTLS 1.2)
      Random:
        gmt_unix_time=0x5E967C0C
        random_bytes (len=28): 32A777A71F95F60B4E200C1DC35D03ADE855D7B0C16733545E3BF846
      session_id (len=0): 
      cookie (len=20): DBDB1FA7E5DA2817AFCC1D43F555D83ECFD4F040
      cipher_suites (len=56)
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      compression_methods (len=1)
        No Compression (0x00)
      extensions, length = 106
        extension_type=server_name(0), length=14
          0000 - 00 0c 00 00 09 6c 6f 63-61 6c 68 6f 73 74      .....localhost
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=supported_groups(10), length=12
          ecdh_x25519 (29)
          secp256r1 (P-256) (23)
          ecdh_x448 (30)
          secp521r1 (P-521) (25)
          secp384r1 (P-384) (24)
        extension_type=session_ticket(35), length=0
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
        extension_type=signature_algorithms(13), length=48
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
          ed25519 (0x0807)
          ed448 (0x0808)
          ecdsa_brainpoolP256r1_sha256 (0x081a)
          ecdsa_brainpoolP384r1_sha384 (0x081b)
          ecdsa_brainpoolP512r1_sha512 (0x081c)
          rsa_pss_pss_sha256 (0x0809)
          rsa_pss_pss_sha384 (0x080a)
          rsa_pss_pss_sha512 (0x080b)
          rsa_pss_rsae_sha256 (0x0804)
          rsa_pss_rsae_sha384 (0x0805)
          rsa_pss_rsae_sha512 (0x0806)
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
          ecdsa_sha224 (0x0303)
          rsa_pkcs1_sha224 (0x0301)
          dsa_sha224 (0x0302)
          dsa_sha256 (0x0402)
          dsa_sha384 (0x0502)
          dsa_sha512 (0x0602)

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000001
  Content Type = Handshake (22)
  Length = 73
    ServerHello, Length=61
    message_seq=1, fragment_offset=0, fragment_length=61
      server_version=0xfefd (DTLS 1.2)
      Random:
        gmt_unix_time=0x94772410
        random_bytes (len=28): B216AECF48807EDEC6BA59AFDA5B5073FB0B1C0AA2CA713BD6E5D1CB
      session_id (len=0): 
      cipher_suite {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      compression_method: No Compression (0x00)
      extensions, length = 21
        extension_type=renegotiate(65281), length=1
            <EMPTY>
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=session_ticket(35), length=0
        extension_type=extended_master_secret(23), length=0

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000002
  Content Type = Handshake (22)
  Length = 109
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000003
  Content Type = Handshake (22)
  Length = 195
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000004
  Content Type = Handshake (22)
  Length = 195
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000005
  Content Type = Handshake (22)
  Length = 195
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000006
  Content Type = Handshake (22)
  Length = 181
    Certificate, Length=815
    message_seq=2, fragment_offset=0, fragment_length=815
      certificate_list, length=812
        ASN.1Cert, length=809<UNPARSEABLE CERTIFICATE>
<TRAILING GARBAGE AFTER CERTIFICATE>

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000007
  Content Type = Handshake (22)
  Length = 195
Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000008
  Content Type = Handshake (22)
  Length = 125
    ServerKeyExchange, Length=296
    message_seq=3, fragment_offset=0, fragment_length=296
      KeyExchangeAlgorithm=ECDHE
        named_curve: ecdh_x25519 (29)
        point (len=32): 528E73505F7A7C98177BD17907CEE801A418A5AB07A38A02B4E29D1437440F1A
      Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
      Signature (len=256): 67A2BBAEEE046FAE785EC308DBE65702E2902216A36A35B44A3417A8CE8C0B5E88C99C7A67D3A06028E0E816F80CE8D94E5563FA647A83B863C175E8B456355FD9D6BAAD4286E7FD958C215E3502A47C30735DA62E4AA1A8B5F4A8E262151AA8903CCA36E2FE4296A6C0414C2CB915D203CC0D97383FF7812B3336C4CC3710CCE1A8A20C00012800030000B700007163C546DB94C215A925D45B2C066B8FD63C7FE3E2DEB2B0582435349E0B6F41A5154B286E3A86BDD4E241FC9B032619047E8CC876849D0CA36AACD38A8DD780E4BA29E08321ED6D1BEF5C10568B2C64C66362A5076DF34D8F9637391C6B0FBAE92CA24A9F1A14F76A9E39DCEBA2CE16701A

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000009
  Content Type = Handshake (22)
  Length = 12
    ServerHelloDone, Length=0
    message_seq=4, fragment_offset=0, fragment_length=0

Received Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000003
  Content Type = Handshake (22)
  Length = 45
    ClientKeyExchange, Length=33
    message_seq=2, fragment_offset=0, fragment_length=33
      KeyExchangeAlgorithm=ECDHE
        ecdh_Yc (len=32): AA09C277BCACE5D5660E3C02775B74376562C47E8512C8A7DEB332A84EEA300B

Received Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=000000000004
  Content Type = ChangeCipherSpec (20)
  Length = 1
    change_cipher_spec (1)

Received Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=1, sequence_number=000000000000
  Content Type = Handshake (22)
  Length = 48
    Finished, Length=12
    message_seq=3, fragment_offset=0, fragment_length=12
      verify_data (len=12): 9FA997640153737F2B77D77F

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=00000000000a
  Content Type = Handshake (22)
  Length = 194
    NewSessionTicket, Length=182
    message_seq=5, fragment_offset=0, fragment_length=182
        ticket_lifetime_hint=7200
        ticket (len=176): 87733D3CB52FA9B69BB16A093BA90614DDB31ACB7DBEF67759FD2319E19CA8FEF56E5FE344FF0EB00AE183D96188CE797F08DAB91653B07BA5B8A95E171E69642F910512F7F4E65B4E053F2D134F6953F67041DC1A8096FDF903EFEC6E3C63618FB6C132715E7D0425302D9BA10CA3A28FAA44155B29B951097094C1996B0EE69790AA66186A3F3099F7DB989F5E5131B9EC9B76DBA4583AC91CE9128FF2633715CE53C89586D74A1AE332462262D150

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=0, sequence_number=00000000000b
  Content Type = ChangeCipherSpec (20)
  Length = 1
    change_cipher_spec (1)

Sent Record
Header:
  Version = DTLS 1.2 (0xfefd)
  epoch=1, sequence_number=000000000000
  Content Type = Handshake (22)
  Length = 48
    Finished, Length=12
    message_seq=6, fragment_offset=0, fragment_length=12
      verify_data (len=12): A4EED2E035B8D06CF26E73B9

-----BEGIN SSL SESSION PARAMETERS-----
MGACAQECAwD+/QQCwDAEAAQw85dSzwYttMEe2FUFqFOxeI3CgWDKc7Nl+x8mRLfA
klXoS8AS9+VmYV3taz2SkjjwoQYCBGK0zF+iBAICHCCkBgQEAQAAAK0DAgEBswMC
AR0=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

see the funny unknown messages, followed by

ERROR
4087BBE62C7F0000:error:0680009F:asn1 encoding routines:(unknown function):unexpected eoc:crypto/asn1/tasn_dec.c:401:Type=X509_CINF
4087BBE62C7F0000:error:0688010A:asn1 encoding routines:(unknown function):nested asn1 error:crypto/asn1/tasn_dec.c:685:Field=cert_info, Type=X509
shutting down SSL

But this does only happen when -timeout and -trace is used together, to my surprise... So that is just another error, that I wanted to solve with #18111 but it was not approved yet. So at the moment the only way to use DTLS in real applications is to do it like ./openssl s_server -dtls -listen does and have some kind of time-out logic at the application layer.

mattcaswell commented 2 years ago

Fix for this in #18654.

Note that this is only a problem when using "stateful" cookie exchange. The preferred way is to use "stateless" cookies via the DTLSv1_listen API - and that API does not suffer from this problem. s_server implements this via the -listen flag. See:

https://www.openssl.org/docs/man3.0/man3/DTLSv1_listen.html