Scandium fails to process DTLS some handshakes

[LudwigSeitz]

This issues applies to both 1.0.6 and to 2.0.0-M7, it probably applies to other versions as well.

I have a failure to process the following DTLS handshake using PSK:

Client Hello
Hello Verify Request
Client Hello
Server Hello, Server Hello Done
Client key Exchange
Change Cipher Spec
Encrypted Handshake Message

Note how the Client key Exchange, Change Cipher Spec and Encrypted Handshake Message are not sent in the same message. The handshake works if they are, but the DTLS spec. allows sending them in separate messages.
I am not sure that this is the problem but so far it looks like the only difference, and I have two other DTLS implementations next to me communicating just fine with one another (but not with me).

[boaks]

Would it be possible to get the wireshark logs?
And the californium/scandium logs?

[LudwigSeitz]

I will try to produce them today.
However I need a bit of help to get the scandium logging going, I've tried
Logger logger = Logger.getLogger(Logger.GLOBAL_LOGGER_NAME);
logger.setLevel(Level.ALL);
but that gave me zip.

[boaks]

The logging was changed last year to slf4j.
In tests and the demos it's bundle it with logback.

Using

-Dlogback.configurationFile=/path/to/config.xml

you can provide your own logback config.

<configuration>

	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
		<!-- encoders are assigned the type ch.qos.logback.classic.encoder.PatternLayoutEncoder 
			by default -->
		<encoder>
			<pattern>%d{HH:mm:ss.SSS} %level [%logger{0}]: %msg \(%class{25}.%method:%line\)%n</pattern>
		</encoder>
	</appender>

	<logger name="org.eclipse.californium.scandium" level="TRACE" additivity="false">
		<appender-ref ref="STDOUT" />
	</logger>

	<root level="WARN">
		<appender-ref ref="STDOUT" />
	</root>

</configuration>

would enable the scandium logging.

[LudwigSeitz]

Just for posternity: I also needed to do:
BasicConfigurator.configure();

to get the goddness running.

[boaks]

BasicConfigurator.configure();

What's that?

[LudwigSeitz]

It is apparently needed to initialize Log4j. Otherwise the outputs go to /dev/null im my deployment.

[LudwigSeitz]

I cannot attach the logs. I've put them here:
https://drive.google.com/file/d/176fbx6T1X-yFd7D1uVliiebUq7KR0Lvu/view?usp=sharing

[boaks]

dtls.zip

Just use drag and drop to attach files :-)
On my side it works, I will check your files ...

[boaks]

Just as hint for further logs:

If you filter the packets in wireshark using "dtls" and then "file -> export specified packets ..." you can easily export just the relevant set of messages.

The message 51852 client => server contains 3 handshake message (identity clientA).
From that on, the client just repeats them.

Your scandium log shows:

179569 Discarding Handshake (22) record from peer [/31.133.134.176:55480]: MAC validation failed

So I guess, you use different PSK secret keys. Sometimes the secret key must be provided direct or as hex or as base64. So can you check, which bytes scandium is using for the secret key?

[LudwigSeitz]

I'm getting "Something went really wrong, and we can't process that file."

[boaks]

My dtls.zip?

[boaks]

Or when you drap and drop?

[boaks]

Anyway, please check the bytes used by your secret key.

[LudwigSeitz]

When I try to select the zip (not using dnd).

I'm checking the PSK as we speak.

[LudwigSeitz]

PSK confirmed to be same on both sides.
( the very uniformly random: [97, 98, 99, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16] btw.)

[LudwigSeitz]

hold on, someone has been doing a your-hex-is-my-string-which-gives-me another-hex conversion ....
Sorry for the hassle.

[boaks]

:-) That approach is one of the favourite for failures in PSK :-)