-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS server does not handle retransmits of the client's last flight #479
Comments
We think we have the same problem as this. In our case the server is pion/dtls and the client is an embedded device communicating over cellular (e.g. NB-IoT). The client occasionally seems to miss the server's Hello Verify Request message and retransmits its Client Hello (with sequence number 0). The server ignores this as duplicate packet (see logs below) and doesn't send a new Hello Verify Request. Attached the Wireshark captures. (In this case I'm not sure whether the replay should stop this packet or whether the handshake should continue with a new server Hello Verify Request after the client hello on no. 12.) Hope this helps analysing this issue. Server log retransmissions
Server log normal connection
|
My problem may also be related to this issue. According to RFC6347 section 4.2.8,
However, it appears that the server does not respond to ClientHello with existing parameters. These are log screenshots on the client. ClientHello (10.254.0.162:49157 -> 100.66.1.41:23088)No.34: ClientHello (10.254.0.162:49157 -> 100.66.1.41:23088) ClientHello with existing parameters (10.254.0.162:49157 -> 100.66.1.41:23088): **problem phase**No.72-: ClientHello with existing parameters (10.254.0.162:49157 -> 100.66.1.41:23088; ignored) |
Your environment.
What did you do?
Run example PSK listener from https://github.com/mniestroj/pion-dtls/tree/handshake-not-finishing, which contains some adjustments for mbedTLS client that I use. Also the retransmit timer was extended from 1s to 30s to help reproduce the issue.
Communication was done on tun/tap interface, because it actually happens between virtual machine (QEMU) and host. In order to simulate packet loss, following command was executed on host:
which basically makes 75% of the packets to be dropped, which is great way to test handshake retransmission mechanisms (and reproduce this bug).
What did you expect?
Server should follow DTLS spec, which says: "the node that transmits the last flight MUST respond to a retransmit of the peer's last flight with a retransmit of the last flight". This means that server should respond to client retransmissions, as the handshake was not complete from the client point of view (due to packet loss).
Server thinks that handshake has completed. This is not true, because mbedTLS client did not receive the last message from server, so it keeps retransmitting previous message.
According to https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.4:
What happened?
Server ignores client retransmissions. This can be seen on wireshark logs (screen) above.
The text was updated successfully, but these errors were encountered: