Hi,
I would like to know if this is possible to make mbedTLS works as a DTLS client and server on the same address/port? (using PSK, RPK and X509)
Maybe this sounds a bit strange and I will give some context to understand.
I’m working on LWM2M protocol which is based on CoAP and DTLS. LWM2M supports PSK, RPK and X509.
I’m currently searching how to handle server failover in “server initiated mode”.
Here is a brief explanation of how it works.
- The device has an static/fixed IP address/port.
- The device establishes DTLS connection.
- The device registers to the server (server has also a static/fixed IP address/port)
- Later, server sends request to a registered client.
If the server still have a DTLS connection to the device there is no issue !
Now imagine the DTLS connection is lost (e.g. crash/reboot), we still know the device address (registration is persisted) but we don’t have any DTLS connection to it.
So a solution could be to make the server act as a DTLS client and so the device should act as a DTLS server.
Just to let you know, the java scandium library from californium can act like this.
Here a wireshark capture done with scandium at device(port 36038) and server(port 5684) side. (using PSK)
No. Time Source Destination SrcPort DesPort Protocol Length Info
1 0.000000000 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 133 Client Hello
2 0.000359644 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 102 Hello Verify Request
3 0.005001722 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 165 Client Hello
4 0.005626495 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 162 Server Hello, Server Hello Done
5 0.042162424 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
6 0.061195906 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 109 Change Cipher Spec, Encrypted Handshake Message
7 0.062815631 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 179 Application Data (LWM2M REGISTER request from device)
8 0.081334961 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 97 Application Data (LWM2M REGISTER response from server)
9 8.483287786 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 90 Application Data (LWM2M READ request from server)
10 8.496936449 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 213 Application Data (LWM2M READ response from client)
### LWM2M Server (5684) Reboot and so lost its DTLS connection to LWM2M device (36038), ...
### ... LWM2M Server will establish a new connection and so act as a DTLS client.
11 24.079310967 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 151 Client Hello
12 24.080362291 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 102 Hello Verify Request
13 24.083452354 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 183 Client Hello
14 24.085327257 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 162 Server Hello, Server Hello Done
15 24.110637371 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
16 24.111419901 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 109 Change Cipher Spec, Encrypted Handshake Message
17 24.113519322 127.0.0.1 127.0.0.1 5684 36038 DTLSv1.2 92 Application Data (LWM2M READ request from server)
18 24.114368265 127.0.0.1 127.0.0.1 36038 5684 DTLSv1.2 108 Application Data (LWM2M READ response from client)