TLS1.3 support #752
Comments
|
There currently is no option to configure this. In Note that DTLS1.3 is not fully available yet. |
|
thanks, @mrdeep1, I will try this out and get back to you! |
|
As the supprt becomes available in OpenSSL, GnuTLS, Mbed TLS and TinyDTLS libraries, there may need to be some minor changes to the The intent is to get the correct support in place for DTLS1.3. |
|
thanks, @mrdeep1 , I didn't know that there is support for DTLS1.3 by OpenSSL. I was looking around and I didn't succeed to find it. |
|
It is the version in the CLientHello that matters, not the version in the Record Layer Are you using PSK or PKI?
It is this line in examples/coap-client.c that need to be converted to = NULL. |
|
thanks, @mrdeep1, I just noticed I have OpenSSL 1.1.0 I guess there is no tls1.3 support I have to upgrade to the latest one, I will let you know once I'm done. In meantime, could you please elaborate on how I can use the DTLS1.3 with libcoap? |
|
Yes, you need a minimum of opensssl 1.1.1 for TLS1.3. Until DTLS1.3 is supported by the TLS libraries that libcoap uses, then DTLS1.3 is not available in libcoap as the TLS libraries will not understand the "supported_versions" extension value 0xfefc used to indicate DTLS1.3 support. So, the simple answer is that you cannot use DTLS1.3 at present. |
|
after doing the mentioned changes, I'm getting this error when I'm trying to run make |
|
I would say that it is likely you are compiling against openssl-1.1.1, but linking against openssl-1.1.0 What does |
|
here you are : |
|
So, I am therefore assuming that What version of OpenSSL did you build against (1.1.1?) ? |
|
OpenSSL around : "yes" (found OpenSSL 1.1.1), what I found out after checking. |
|
So, did you build with OpenSSL 3.0 (just recently released) - which has a |
|
I have just installed openssl 3.0, and I made the build but it shown openssl 1.1.1. How I can force it to use only openssl 3.0? |
|
See |
|
I have made some changes, now it's working perfectly. Thanks a lot @mrdeep1 |
|
It is all down to the supported_versions extension being the definitive answer. |
|
Hi @mrdeep1 , I have a question regarding CoAP over TLSv1.3. |
|
You need to be more explicit here and provide some debug log where this is happening. You for instance, should only be calling coap_new_client_session_pki()/coap_new_client_session_psk2() once to set up the CoAP session, and then do multiple coap_send() on that session. |
|
Hi @mrdeep1 , Thanks for your reply! |
|
I assume that you are also calling coap_io_process() between the coap_send() calls to handle the responses coming back from the server. It would be good to see |
|
Please find below the logs after sending 10 requests, I guess it's working now but I don't understand why it's skipping the delay between requests: |
|
What this looks like to me in pseudo code terms There is no evidence of your 5 second delay between coap_send(). or even better to handle the 20 or so TLS setup packet exchanges following the TCP connect completing (which also takes time and is not immediate) |
|
That's what's happening now: Nov 17 19:46:17.808 DEBG ***0.0.0.0:0 <-> 127.0.0.1:5684 TLS : new outgoing session |
|
I don't understand why not the delay is applied after one request is complete(receiving the response from the coap server). |
|
Without seeing the changes you have made to coap-client.c, it is not possible to say, Indicates a 1 sec delay between each coap_send(). However it does not appear that you are calling coap_io_process() between the two coap_send() and so there is no mechanism to handle the TCP connected state and then to start the sending of the TLS handshakes. is reported in the logs after you have done all the coap_send()s, and then all the TLS handshakes start. |
|
You are right, it seems creating a new coap request and send it it's in a different loop then coap_io_process(). I'm still efering to the coap-client.c file in examples folder. |
|
libcoap handles all the necessary TLS setup work each time a call_io_process() is called. So, call_io_process() needs to be in the coap_send() loop. Yes, your local copy of examples/coap-client.c will need to get updated along the lines of the pseudo code that I referred to earlier. |
|
Thanks, I have followed your proposals and It's working now. One questions I have noticed a weird behavior in Wireshark it seems the client is sending two requests instead of one, and, the first request after the certificate exchange is quite big |
|
Reading the debug logs will tell you why both line 22 and 24 were sent immediately adter each other - my suspicion is that your code is sending out 2 of them at this point. Line 20 is a different length so is likelt to be a Coap CSM RFC8323. Due to the nature of TCP, multiple writes can be sent in a single packet (and conversly a large write can span multiple packets) and so I woud say line 18 is likely to compise of the final part of the TLS exchange and the CSM from the server. So apart from your potential bug re lines 22 and 24 this looks fine to me. |
|
I have created PR #773 to add in the necessary code for supporting seperation between the -G requests. |
|
Thanks a lot for your efforts! |
|
There is a certain point in the TLS handshake where all the information is encrypted and wireshark can only report it as application data as it has no idea as to the record type. So, looking at the libcoap logs when I do a test, I get Note in particular. matching change cipher spec, there continues where there are 2 (seen as) application data (client certificate/client verify) being sent over the wire. This looks fine to me. |
|
I understand, so I assume it will be hard the measure the RTT of the requests in case sending 20 request as it will hard to track each request. Or it could be done with the code but that require some changes in the library to record ACK time of the response from the server. |
|
The client sends a request, to which there is a response tracked by the unique to response/request token. If you want you can record the time between the token being used and when it is finished with. libcoap neves sees the TCP ACK response. |
|
I assume those are not reported in the logs? Another question, can you point me to the API used to create a resource as I need to request specific JSON data for a specific URI? Thanks a lot for your help! |
|
coap_resource(3). All the documentation you need should be available at Documentation |
|
Thanks! Which variable you have used to fix to one-second delay as I need to make it dynamic? I need to change it |
Hi,
I'm running CoAP over TLS using openssl, I would like to know how I can force the use of TLS1.3, as there is no option for it or information in the documentation?
Thanks in advance
The text was updated successfully, but these errors were encountered: