Arm Mbed and Pelion Device Management support forum

Resumed TLS session with DTLSSockets

I’m using a DTLSSocket on the client side to talk to a server over DTLS. I would like to resume the DTLS session after a device power-down/power-up without performing a full DTLS handshake.

I can see from the ssl_client2.c example how to do this using the Mbed TLS API. But I did not find a way to resume a session using the higher level socket that encapsulates the handling of the TLS API.

Any Idea?

Thanks
Andre

Hi @andresprenger
The session resumption is used to resume a previously established TLS session.
The previously session information is stored in some Non Volatile memory, where you load it when you want to resume a session.
On the transport layer side ( DTLSSocket in your case), you will just need to create a new socket, connect it to the server and configure it as required(as shown in your example).
It doesn’t need to be same socket that was used previously, as it doesn’t hold any DTLS information.
regards,
Mbed Support
Ron

Hi Ron,
thanks for your reply. I understand the outline you are describing.

My issue is specific about how to accomplish this with a DTLSSocket because the current codebase is based on this. The DTLSSocket encapsulates the calls to Mbed TLS and is a lot easier to use.

Looking at the codebase the DTLSSocket delegates most work to the TLSSocketWrapper. TLSSocketWrapper::connect() calls [TLSSocketWrapper::start_handshake()] (https://github.com/ARMmbed/mbed-os/blob/ac21ee90a88ef6530a173b27d91ff91b6fe956dd/features/netsocket/TLSSocketWrapper.cpp#L162) that does the call to mbedtls_ssl_setup(). Next it calls TLSSocketWrapper::continue_handshake() that does the call to mbedtls_ssl_handshake().

If my understanding is correct I would need to call mbedtls_ssl_set_session() with the restored session between the mbedtls_ssl_setup() and mbedtls_ssl_handshake() calls. The DTLSSocket code does not seem to support this.

I thought there might be some callback function in Mbed TLS I could hook into to set the session but did not find anything.

Thanks
Andre

Hi Andre,
I apologize for confusion.
Yes, the DTLS socket encapsulates the calls to Mbed TLS.
If I am not mistaking, DtlsSocket (not TlsSocket) don’t support this feature, you may want to add a feature request for this.
However, you may consider combining the Two functionalities:

mbedtls_ssl_set_session(dtlsSocket-> get_ssl_context	(), saved_session);

Regards

Right.

dtlsSocket-> get_ssl_context() is the backdoor the API opens up to interact with the the Mbed TLS code.

Your idea is good but I do not see where in the workflow I would place the mbedtls_ssl_set_session(). The only positions that would make sense for me would be right before or after the call to DTLSSocket::connect() (that delegates to TLSSocketWrapper::start_handshake()).

In the first case the saved session would be overwritten by mbedtls_ssl_setup() in TLSSocketWrapper::start_handshake(). In the second case mbedtls_ssl_set_session() would be called after the regular handshake and would corrupt the established session.

Is there something I’m missing here?

Hi @andresprenger

You are not missing anything. You are correct, and with current implementation, session resumption cannot be used, unfortunately.
I would suggest you add a feature request for this.
Regards