SecureTransport/DTLS: cookies

Question

Created Nov ’17

Replies 4

Boosts 0

Views 1.1k

Participants 2

Hi,

I'm trying to implement DTLS server using SecureTransport. I've noticed that even if I set a cookie on a server side using SSLSetDatagramHelloCookie, it's not used at all - wireshark shows me that upon receiving 'client hello' my server immediately sends 'server hello' with certificate etc. This is not how DTLS with cookies enabled is supposed to work (and this is NOT how OpenSSL-based server works). I can see in ST's source that it is setting ctx->dtlsCookie, I can also see in coreTLS (in SSL handshake) that it can send a cookie and client hello verify message. But actual framework I have on my macOS is apparently different.

Am I missing something?

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’17

But actual framework I have on my macOS is apparently different.

Well, first things first, what version of macOS are you testing this on?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

timurp OP

Nov ’17

I have macOS 10.13.1 Beta. Security Framework's version is 7.0 (from the "About this Mac -> System Report").

0

Answer 3

DTS Engineer OP

Apple

Nov ’17

Accepted Answer

I’m pretty sure that this is a bug. If you look at the code you’ll see that

SSLSetDatagramHelloCookie

is referencing

dtlsCookie

in

SSLContextRef

whereas the routines in

sslHandshakeHello.c

are referencing the same named field in

tls_handshake_t

and, alas, there’s nothing connecting those two thing together.

You should definitely file a bug report about this. Please post your bug number, just for the record.

I can’t see any way to work around this while staying with Secure Transport )-:

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

timurp OP

Nov ’17

Thanks.

I've created a bug report (but had a problem with code attachement - it's actually quite complex to extract the minimal example, hopefully they can use dtlsEcho example to test). The number if I understand correctly is 35644307.

0