aiocoap-client with DTLS is broken

[pokgak]

Using aiocoap-client to connect with a libcoap server as described in the documentation (plus a small modification on how to run the libcoap server instructions #168), the client keeps on sending ClientHello, even though the server already responded with a HelloVerifyRequest.

Wireshark also shows that DTLS 1.0 is used instead of DTLS 1.2.

With --verbose flag I got this output on the client:

pi@coaptest:~/aiocoap $ ./aiocoap-client --verbose coaps://localhost --credentials testserver.json
INFO:coap:Retransmission, Message ID: 33070.
INFO:coap:Retransmission, Message ID: 33070.
INFO:coap:Retransmission, Message ID: 33070.
INFO:coap:Retransmission, Message ID: 33070.
INFO:coap:Exchange timed out

I'm using aiocoap-version: aiocoap-client 0.4a1.post0 and latest libcoap from develop branch built with --with-tinydtls flag set.

[chrysn]

The DTLS version thing I've also seen in previous tests, but that appears to be harmless (or an artifact of DTLS's version negotiation). Thanks for pointing this out and providing a patch (ref #168) faster than I could respond! :-)

[pokgak]

This issue is not solved yet because #168 is not a fix for this issue. I forgot to mention that I already made the change before testing. Sorry for the inconvenience.

[pokgak]

The DTLS version thing I've also seen in previous tests, but that appears to be harmless (or an artifact of DTLS's version negotiation)

Apparently, this is not the case. I found out that the aiocoap-client does not respond to the HelloVerifyRequest from the server because it failed in the minimum DTLS version check done by tinydtls. This causes it to stop processing the handshake packets. Commenting out the check, the handshake is successful and weirdly, Wireshark now also shows the correct DTLS version number.

This check is done in the function is_record() in dtls.c of tinydtls repo if you want to look at it.

[pokgak]

Found the fix :)

It is caused by a bug in older version of tinydtls which is fixed in eclipse/tinydtls@3beeca9. I confirmed this by rebuilding DTLSSocket locally using that commit for the tinydtls repo. With it the handshake is successful and aiocoap-client can send and receive correctly using the example provided in the documentation.

That said, this issue can stay closed but we'll need to contact DTLSSocket upstream to update their tinydls repo to fix the problem.

Edit: Tested using commit eclipse/tinydtls@3beeca9.

[chrysn]

Reopening as a reminder to bump the dependency. (Given the wrapper's distribution, it's fair to assume that users of latest aiocoap can upgrade tinydtls, and without a dependency on a fixed version I anticipate this will wind up here again.)

Thanks for tracking this down!

[pokgak]

Just a side note: I tried with tinydtls develop branch (eclipse/tinydtls@494a40d) too and aiocoap-client fails with error:

Traceback (most recent call last):
  File "./aiocoap-client", line 9, in <module>
    aiocoap.cli.client.sync_main()
  File "/home/pi/aiocoap/aiocoap/cli/client.py", line 348, in sync_main
    asyncio.get_event_loop().run_until_complete(single_request(args))
  File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
    return future.result()
  File "/home/pi/aiocoap/aiocoap/cli/client.py", line 269, in single_request
    response_data = await requester.response
  File "/home/pi/aiocoap/aiocoap/protocol.py", line 718, in _run_outer
    await cls._run(app_request, response, weak_observation, protocol, log)
  File "/home/pi/aiocoap/aiocoap/protocol.py", line 743, in _run
    await protocol.find_remote_and_interface(app_request)
  File "/home/pi/aiocoap/aiocoap/protocol.py", line 295, in find_remote_and_interface
    raise RuntimeError("No request interface could route message")
RuntimeError: No request interface could route message

[chrysn]

@kabel42, it seems I still can't create an account with https://git.fslab.de/jkonra2m/tinydtls-cython -- could you release an updateded DTLSSocket version that uses a recent tinydtls version?

[kabel42]

sorry, didn't notice there were new commits in the repo.
0.1.10 should now be on PiPy with newest upstream

[chrysn]

That did not help, and I just checked the versions involved. The fixing commit eclipse/tinydtls@3beeca9 is not in tinydtls' master yet -- sorry, my "a recent tinydtls version" statement was wrong.

@kabel42, would you consider publishing a version based on their develop branch? I'm just tracking down the "No request interface could route message" error, it basically is a consequence of errors during module import (there was some restructuring in the tinydtls library, and the wrapper doesn't build all symbols yet), and is fixed by

diff --git a/DTLSSocket/tinydtls b/DTLSSocket/tinydtls
index 8414f8a..9a34961 160000
--- a/DTLSSocket/tinydtls
+++ b/DTLSSocket/tinydtls
@@ -1 +1 @@
-Subproject commit 8414f8ace98bab1f835b494c85e3a6d8144341c9
+Subproject commit 9a3496119688047b6d8b79826f13425397d92e10
diff --git a/setup.py b/setup.py
index 7eafd21..d1e4062 100644
--- a/setup.py
+++ b/setup.py
@@ -45,7 +45,8 @@ setup(
                  "DTLSSocket/tinydtls/peer.c",
                  "DTLSSocket/tinydtls/session.c",
                  "DTLSSocket/tinydtls/aes/rijndael.c",
-                 "DTLSSocket/tinydtls/sha2/sha2.c"
+                 "DTLSSocket/tinydtls/sha2/sha2.c",
+                 "DTLSSocket/tinydtls/platform-specific/dtls_prng_posix.c",
                  ],
                 include_dirs=['DTLSSocket/tinydtls'],
                 define_macros=[('DTLSv12', '1'),

[chrysn]

Current aiocoap master now depends on a new version and works with libcoap's example server.

Thank you both for your valuable inputs and quick response times.

@pokgak, out of curiousity, does that mean aiocoap can be used straightforward with RIOT-OS/RIOT#12104?

[chrysn]

… and confirmed working with current RIOT-OS/RIOT#12104 :-D