illustrated-dtls icon indicating copy to clipboard operation
illustrated-dtls copied to clipboard
verified publisher icon syncsynchalt

HelloVerifyRequest/HelloRetryRequest is missing

Open Snawoot opened this issue 2 years ago • 0 comments

Hello,

I'd like to point out that one of critical stages and corresponding messages are missing from DTLS diagram. As per RFC 9147 Section 5.1

In order to counter both of these attacks, DTLS borrows the stateless cookie technique used by Photuris [RFC2522] and IKE [RFC7296]. When the client sends its ClientHello message to the server, the server MAY respond with a HelloRetryRequest message. The HelloRetryRequest message, as well as the "cookie" extension, is defined in TLS 1.3. The HelloRetryRequest message contains a stateless cookie (see [TLS13], Section 4.2.2). The client MUST send a new ClientHello with the cookie added as an extension. The server then verifies the cookie and proceeds with the handshake only if it is valid.

Specifically, diagram is missing that part with possible retransmit of ClientHello message with cookie provided by server in HelloVerifyRequest/HelloRetryRequest message. Even though such mechanism is optional for a server, it's mandatory for protocol as a whole because client MUST handle what server MAY send (as defined by RFC 2119 Section 5).

Snawoot avatar Jan 09 '24 16:01 Snawoot