The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
WolfSSL partially supports the connection identifier extension (https://www.rfc-editor.org/rfc/rfc9146.html).
However, it does not implement the NewConnectionId and RequestConnectionId messages introduced in DTLS 1.3 (https://www.rfc-editor.org/rfc/rfc9147.html).
Since wolfSSL advertises supporting connection identifiers, one would expect these messages to be implemented. A client could connect to a wolfSSL server, negotiate the extension, but if it sends one of the two messages, the connection gets terminated with an unexpected_message alert.
I would recommand to either drop connection id support, or implement the missing messages.
Reproduction steps
In user_settings.h, enable DTLS and the extension:
#define WOLFSSL_DTLS
#define WOLFSSL_DTLS_CID
Connect to the wolfSSL example server using DTLS and with connection id enabled (--cid XX) and do a handshake
send a NewConnectionId or RequestConnectionId message
the connection gets terminated with a unexpected_message alert
Contact Details
conrad@owatz.de
Version
5.5.0
Description
WolfSSL partially supports the connection identifier extension (https://www.rfc-editor.org/rfc/rfc9146.html). However, it does not implement the NewConnectionId and RequestConnectionId messages introduced in DTLS 1.3 (https://www.rfc-editor.org/rfc/rfc9147.html). Since wolfSSL advertises supporting connection identifiers, one would expect these messages to be implemented. A client could connect to a wolfSSL server, negotiate the extension, but if it sends one of the two messages, the connection gets terminated with an unexpected_message alert. I would recommand to either drop connection id support, or implement the missing messages.
Reproduction steps
In user_settings.h, enable DTLS and the extension:
unexpected_message
alertRelevant log output
No response