search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.29k stars 818 forks source link

[Bug]: No support for NewConnectionId and RequestConnectionId in DTLS 1.3 #6367

Open Conradowatz opened 1 year ago

Conradowatz commented 1 year ago

Contact Details

conrad@owatz.de

Version

5.5.0

Description

WolfSSL partially supports the connection identifier extension (https://www.rfc-editor.org/rfc/rfc9146.html). However, it does not implement the NewConnectionId and RequestConnectionId messages introduced in DTLS 1.3 (https://www.rfc-editor.org/rfc/rfc9147.html). Since wolfSSL advertises supporting connection identifiers, one would expect these messages to be implemented. A client could connect to a wolfSSL server, negotiate the extension, but if it sends one of the two messages, the connection gets terminated with an unexpected_message alert. I would recommand to either drop connection id support, or implement the missing messages.

Reproduction steps

In user_settings.h, enable DTLS and the extension:

#define WOLFSSL_DTLS
#define WOLFSSL_DTLS_CID
  1. Connect to the wolfSSL example server using DTLS and with connection id enabled (--cid XX) and do a handshake
  2. send a NewConnectionId or RequestConnectionId message
  3. the connection gets terminated with a unexpected_message alert

Relevant log output

No response

rizlik commented 1 year ago

Hey @Conradowatz ,

Thanks for reporting, we are aware of that and we are currently evaluating the effort of adding support for these two messages.

Thanks, Marco