-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS: wrong PSK no longer terminates connection immediately #466
Comments
From what I can tell, maybe the check for also, |
I had to think on this, but in the end I don't think that we should treat the Finished message case any differently. I found at least this related issue for openssl, where they also reject the idea: I already plan to change the default value of IgnoreCorruptDtlsRecord to true in the next major version (presumably a 3.0 release later this year). |
As I already said, I would prefer if there was a way to shorten the handshake process if the PSK is wrong. The client devices we're communicating with are pretty slow, so we can't use a lower handshake timeout. If I read the code correctly, IgnoreCorruptDtlsRecord doesn't do anything right now anyway, because the Though ultimately, it's your call to decide on an interpretation of the spec. |
During the DTLS Connection ID implementation, code was added to discard records with invalid MACs. This has the effect that connections with invalid credentials (at least when using TLS-PSK) aren't immediately terminated with a
bad_record_mac
TlsFatalAlert anymore:bc-csharp/crypto/src/tls/DtlsRecordLayer.cs
Lines 780 to 787 in 04ddd28
RFC 9146 6. "Peer Address Update" says
and RFC 7366 3. says
So while the new implementation is (in my opinion) technically correct, it is still somewhat flawed. Even when the MAC verification already fails during the handshake (i.e. when receiving the
finished
message), the packets are just discarded instead of returning a TlsFatalAlert. Clients with invalid credentials now have to wait (and usually resend multiple times) until they run into a timeout, instead of immediately getting the information that their credentials are invalid.I think during the handshake,
bad_record_mac
alerts should still be thrown.The text was updated successfully, but these errors were encountered: