Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
214 views
in Technique[技术] by (71.8m points)

denial of service - DTLS `HelloVerifyRequest`/`HelloRetryRequest` in WolfSSL

The cookie exchange initiated by HelloVerifyRequest described in section 4.2.1 of RFC 6347 is essential to DoS-protection in DTLS. Unless I'm overlooking something, the WolfSSL documentation does not really describe how to enable this cookie exchange with its DTLS implementation.

The closest I can find is the function wolfSSL_send_hrr_cookie, about which the manual states:

This function is called on the server side to indicate that a HelloRetryRequest message must contain a Cookie. The Cookie holds a hash of the current transcript so that another server process can handle the ClientHello in reply. The secret is used when generting the integrity check on the Cookie data.

As far as I understand, the HelloRetryRequest (compare HelloVerifyRequest) is TLS 1.3 terminology. DTLS 1.3 is not finalized. How does one enable and control the DTLS 1.0/1.2 cookie exchange in WolfSSL?

question from:https://stackoverflow.com/questions/65940078/dtls-helloverifyrequest-helloretryrequest-in-wolfssl

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The DTLS Hello Cookie is enabled by default. The wolfSSL server code uses the callback function EmbedGenerateCookie() in the file src/wolfio.c to generate the cookie per the recommendation in RFC 6347 §4.2.1.

TLSv1.3's hrr_cookie is something else unrelated.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...