Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version Downgrade during the Handshake #209

Closed
bathooman opened this issue Sep 28, 2023 · 4 comments
Closed

Version Downgrade during the Handshake #209

bathooman opened this issue Sep 28, 2023 · 4 comments
Labels
available on develop Mark PRs (pre-)available only on develop bug Something isn't working please retest Please retest the related PR or commit, if that works for you

Comments

@bathooman
Copy link

During our tests, we noticed that the handshake could continue if the server chooses to use a lower version of the protocol compared to the version used in earlier records through the handshake. I will try to clarify this through an example:

During the handshake, when the server sends the ServerHello message, it uses DTLS 1.2 as the record version. Now if in the following record containing the ServerHelloDone message, the server chooses to use DTLS 1.0 as the record version, the handshake continues without interruption. Although the security implications of this are unknown (or none in the case of TinyDTLS), I believe it is still good practice to abort when a version downgrade occurs. For example, OpenSSL aborts the handshake in such a scenario. An example of such a downgrade can be found in the attached PCAP file.

tinydtls-0.zip
@boaks
Copy link
Contributor

boaks commented Sep 28, 2023

Thanks for reporting.
I will look into this tomorrow.

boaks added a commit to boaks/tinydtls that referenced this issue Sep 29, 2023
@boaks
dtls.c: add check for valid handshake message type when version is 1.0.
4afb371 
Fixes issue eclipse#209.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
@boaks boaks mentioned this issue Sep 29, 2023
Merged
@boaks
Copy link
Contributor

boaks commented Sep 29, 2023

If possible, please test, if PR #210 works for you.

@boaks boaks added bug Something isn't working please retest Please retest the related PR or commit, if that works for you labels Sep 29, 2023
boaks added a commit to boaks/tinydtls that referenced this issue Dec 22, 2023
@boaks
dtls.c: add check for valid handshake message type when version is 1.0.
6cf43c0 
Fixes issue eclipse#209.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
@boaks boaks added the available on develop Mark PRs (pre-)available only on develop label Feb 7, 2024
boaks added a commit that referenced this issue May 12, 2024
@boaks
dtls.c: add check for valid handshake message type when version is 1.0.
a83514b 
Fixes issue #209.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
@boaks
Copy link
Contributor

boaks commented May 12, 2024

The fix is merged.
OK to close?

@bathooman
Copy link
Author

Thanks for the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
available on develop Mark PRs (pre-)available only on develop bug Something isn't working please retest Please retest the related PR or commit, if that works for you
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bathooman @boaks