The cookie exchange initiated by HelloVerifyRequest described in section 4.2.1 of RFC 6347 is essential to DoS-protection in DTLS. Unless I'm overlooking something, the WolfSSL documentation does not really describe how to enable this cookie exchange with its DTLS implementation.
The closest I can find is the function wolfSSL_send_hrr_cookie, about which the manual states:
This function is called on the server side to indicate that a
HelloRetryRequest message must contain a Cookie. The Cookie holds a
hash of the current transcript so that another server process can
handle the ClientHello in reply. The secret is used when generting the
integrity check on the Cookie data.
As far as I understand, the HelloRetryRequest (compare HelloVerifyRequest) is TLS 1.3 terminology. DTLS 1.3 is not finalized. How does one enable and control the DTLS 1.0/1.2 cookie exchange in WolfSSL?
question from:
https://stackoverflow.com/questions/65940078/dtls-helloverifyrequest-helloretryrequest-in-wolfssl 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
