Hi
Simon,
First
results:
Openssl
1.1.1 uses 1.0, mbedtls uses 1.2 for that
HelloVerifyRequest.
Both
clients works with 1.2 or 1.0
From
your previous mail:
The server MUST use the same
version number in the HelloVerifyRequest that it would use when
sending a ServerHello.
That’s
interesting … and doesn’t fit. So I will write to the
ietf-tls-list.
Mit freundlichen Grüßen / Best regards
Achim Kraus
Bosch IoT Hub - Product Area IoT Platform (IOC/PAP-HU)
Bosch.IO GmbH | Stuttgarter Straße 130 | 71332
Waiblingen |
GERMANY | www.bosch.io
Sitz: Berlin, Registergericht: Amtsgericht
Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke;
Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar
Mitrovic, Yvonne Reckling
As you are here Achim, I will not open a
dedicated issue in californium.
Let discuss about it here.
My first point : I'm not sure this is a good idea to
change default behavior in a minor version release. In
this particular case we could maybe considered this as a
bug fix (But I'm not sure of this as this is just a
SHOULD and not a MUST).
My second point : About the RFC, it says :
1. TLS 1.2 server implementations SHOULD use DTLS
2. version 1.0 regardless of the version of TLS that is expected to be
3. negotiated. DTLS 1.2 and 1.0 clients MUST use the version solely to
4. indicate packet formatting (which is the same in both DTLS 1.2 and
5. 1.0) and not as part of version negotiation. In particular, DTLS 1.2
6. clients MUST NOT assume that because the server uses version 1.0 in
7. the HelloVerifyRequest that the server is not DTLS 1.2 or that it
8. will eventually negotiate DTLS 1.0 rather than DTLS 1.2.
9. The server MUST use the same
10. version number in the HelloVerifyRequest that it would use when
11. sending a ServerHello.
So
I'm not sure to understand this correctly ? Does it
means that a DTLS 1.2 server SHOULD use 1.2 version in
hello_verfiy_request ? Using 1.0 version is only for
server which support 1.0 to 1.2 ?
(I suppose you have another understanding else you
didn't implement this ? or maybe you just missed the
second sentence ?)
Mark,
no matter how this discussion will end, your device
seems to not respect this part of the RFC :
In particular, DTLS 1.2
clients MUST NOT assume that because the server uses version 1.0 in
the HelloVerifyRequest that the server is not DTLS 1.2 or that it
will eventually negotiate DTLS 1.0 rather than DTLS 1.2.
So you should report this.
Simon
Le
23/11/2020 à 16:48, Kraus Achim (IOC/PAP-HU) a écrit :
Hi
together,
there
is a
DtlsConfiguration.Builder.setProtocolVersionForHelloVerifyRequests.
That
may help out.
It’s
always not too easy, to fix something according a
RFC, if some implementations are used to behave
different ;-).
Mit
freundlichen Grüßen / Best regards
Achim Kraus
Bosch IoT Hub - Product Area IoT Platform
(IOC/PAP-HU)
Bosch.IO GmbH | Stuttgarter Straße 130 | 71332
Waiblingen |
GERMANY | www.bosch.io
Sitz: Berlin, Registergericht: Amtsgericht
Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten
Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr.
Aleksandar Mitrovic, Yvonne Reckling
I bet this could be
because of :
https://github.com/eclipse/californium/pull/1397
See :
https://tools.ietf.org/html/rfc6347#section-4.2.1
The default VERSION value changes which change
default behavior, but this changes follow a RFC
recommendation so I'm not sure if this will(or even
should) be changed back ? (My guess is probably not)
This is possible to change it using the API, see :
https://github.com/eclipse/californium/pull/1397/files#diff-3c57eeacb63a45e50c11737e09d3e166367773a093f2cb216e3ece81f2477597R1606
(but this will probably not changed on the sandbox)
Le
23/11/2020 à 16:17, Simon Bernard a écrit :
We succeed to get a capture. I joined it.
Your device sounds to not answer to
HELLO_VERIFY_REQUEST from the server.
I guess there is some changes about this at
Californium side. I will open a ticket to discuss
about this. Please do not hesitate to join the
discussion.
Le
23/11/2020 à 15:36, Simon Bernard a écrit :
Hi,
You can eventually run leshan-server-demo
locally and so run wireshark at server side.
Or Eventually, I can try to do a capture at
server side. (as there is not so much traffic)
I'm currently running a tcpdump on the sandbox.
If you make your device communicate now I can
see the exchange.
(This will maybe be complicated to synchronize
ourself, I will let the tcpdump capturing for
the next hour but I will stop it before the end
of the day)
Simon
Le
23/11/2020 à 15:00, Mark Lugovskoy a écrit :
Hi,
I
tried to connect using this sequence of
commands from GSM modem:
AT#LWM2MINJKEYS=0,1,"mark123456","mark123456","0987654321"
AT#LWM2MSTS=0,999,"coaps://leshan.eclipseprojects.io:5784",1
at#reboot
AT#LWM2MENA=1
With
this sequence, I managed to connect until
Thursday after noon. In the evening I
already couldn’t connect.
I
pretty much use my GSM modem as black box,
so I can’t provide much more details. I
also don’t have Wireshark.
I’ll
try to find more information that you
asked.
Thank
you,
Mark
From:
Thomas LE ROUX [mailto:thomas.leroux@xxxxxxxx]
Sent: Monday, November 23, 2020
3:33 PM
To: leshan developer discussions <leshan-dev@xxxxxxxxxxx>
Cc: Mark Lugovskoy <mark.lugovskoy-ext@xxxxxxx>
Subject: Re: [leshan-dev] A
question regarding Leshan demo web site
There
must be something wrong with either your
computer's networking options, the
sequence of command you used,
registration to the server (wrong key,
or a device with the same identity is
registered with a wrong key. You can
check this out at
https://leshan.eclipseprojects.io/#/security) or something else.
Hi,
Is
there some problem with this server?
It should not. But you maybe found a
bug ?
Thursday I integrated in master (and
so applied on Leshan sandbox) some
commits about integration of the new
Californium version, there is maybe a
regression with this. (Californium
itself or my modifications)
This could help if you provide more
context. (which client used ? DTLS or
not ?, if DTLS, rpk psk or x509 ?
providing wireshark capture or log
could help too)
If you prefer you can use github
issue ? (Mailing list is fine too)
Simon
Le
23/11/2020 à 13:17, Mark Lugovskoy a
écrit :
Hi,
Last
week I connected with my device
successfully to the demo LESHAN
server:
https://leshan.eclipseprojects.io/#/clients.
But
since Thursday I can’t connect to
it, with the same sequence of
commands that I used before.
Is
there some problem with this
server?
Thank
you,
Mark
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/leshan-dev
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev
_______________________________________________
leshan-dev mailing list
leshan-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev
