wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

[Bug]: No support for NewConnectionId and RequestConnectionId in DTLS 1.3

Open Conradowatz opened this issue 2 years ago • 1 comments

Contact Details

[email protected]

Version

5.5.0

Description

WolfSSL partially supports the connection identifier extension (https://www.rfc-editor.org/rfc/rfc9146.html). However, it does not implement the NewConnectionId and RequestConnectionId messages introduced in DTLS 1.3 (https://www.rfc-editor.org/rfc/rfc9147.html). Since wolfSSL advertises supporting connection identifiers, one would expect these messages to be implemented. A client could connect to a wolfSSL server, negotiate the extension, but if it sends one of the two messages, the connection gets terminated with an unexpected_message alert. I would recommand to either drop connection id support, or implement the missing messages.

Reproduction steps

In user_settings.h, enable DTLS and the extension:

#define WOLFSSL_DTLS
#define WOLFSSL_DTLS_CID
  1. Connect to the wolfSSL example server using DTLS and with connection id enabled (--cid XX) and do a handshake
  2. send a NewConnectionId or RequestConnectionId message
  3. the connection gets terminated with a unexpected_message alert

Relevant log output

No response

Conradowatz avatar May 02 '23 13:05 Conradowatz

Hey @Conradowatz ,

Thanks for reporting, we are aware of that and we are currently evaluating the effort of adding support for these two messages.

Thanks, Marco

rizlik avatar May 08 '23 15:05 rizlik