Add support for DTLS 1.3 (`DTLSv1.3`) through `SSLContext` / `SSLEngine` #254

cconlon · 2025-02-14T23:46:13Z

This PR adds DTLS 1.3 support to the wolfJSSE SSLContext class, for use through the SSLEngine interface. SunJSSE supports up to DTLS 1.2 through the SSLEngine interface, so we are matching similar behavior here for DTLS 1.3.

To support this addition, this PR also makes the following changes:

Adds DTLS 1.3 to the thin JNI-only layer
Wraps wolfSSL_DisableExtendedMasterSecret()
Adds support for the Java system property: jdk.tls.useExtendedMasterSecret for enabling or disabling the TLS Extended Master Secret (EMS) extension. Enabled by default unless explicitly disabled.
Wraps wolfSSL_send_hrr_cookie() in WolfSSLSession.sendHrrCookie() for enabling HelloRetryRequest use in SSLEngine DTLS support.
Wraps wolfSSL_dtls_get_drop_stats() for use in SSLEngine DTLS detection of dropped packets to properly set BUFFER_UNDERFLOW status.
Wrap wolfSSL_set_SessionTicket_cb() and add session ticket callback support to SSLEngine for detection of ticket being received.

wolfSSL Configuration

When testing this work, wolfSSL was configured using:

./configure --enable-jni --enable-dtls --enable-dtls13 --enable-dtls-mtu --enable-hrrcookie --enable-debug CFLAGS="-DWOLFSSL_DTLS_DROP_STATS"

Native wolfSSL's build option for --enable-jni will be updated to include these definitions by default, with wolfSSL/wolfssl#8481.

Testing

Simple JUnit tests for SSLEngine DTLSv1.3 have been added with this PR. This has also been tested against modified versions of the SunJSSE DTLS tests, specifically:

Passed: javax/net/ssl/DTLS/CipherSuite.java
Passed: javax/net/ssl/DTLS/ClientAuth.java
Passed: javax/net/ssl/DTLS/DTLSBufferOverflowUnderflowTest.java
Passed: javax/net/ssl/DTLS/DTLSDataExchangeTest.java
Passed: javax/net/ssl/DTLS/DTLSEnginesClosureTest.java
Passed: javax/net/ssl/DTLS/DTLSHandshakeTest.java
Passed: javax/net/ssl/DTLS/DTLSHandshakeWithReplicatedPacketsTest.java
Passed: javax/net/ssl/DTLS/DTLSIncorrectAppDataTest.java
Passed: javax/net/ssl/DTLS/DTLSNotEnabledRC4Test.java
Passed: javax/net/ssl/DTLS/DTLSOverDatagram.java
Passed: javax/net/ssl/DTLS/DTLSUnsupportedCiphersTest.java
Passed: javax/net/ssl/DTLS/InvalidCookie.java
Passed: javax/net/ssl/DTLS/PacketLossRetransmission.java
Passed: javax/net/ssl/DTLS/Reordered.java
Passed: javax/net/ssl/DTLS/RespondToRetransmit.java
Passed: javax/net/ssl/DTLS/Retransmission.java

A PR to the testing repo has been opened here: https://github.com/wolfSSL/testing/pull/844. A nightly Jenkins test will be created based on the test script in that PR.

Examples

JNI-level example client and server can be run with DTLS 1.3 support using:

$ ant examples
$ ./examples/server.sh -u -v 4
$ ./examples/client.sh -u -v 4

Future Work

Add JSSE level example client/server that supports DTLS 1.3
Add SSLContext('DTLS') general mapping
Add SSLContext('DTLSv1.2') for DTLS 1.2 support
Add support for "special" features of DTLS 1.3, this PR brings in basic functionality

… System property jdk.tls.useExtendedMasterSecret

…ng WolfSSLEngine handshakeFinished to true

…kie(), enable HelloRetryRequest in SSLEngine DTLS

… DTLS dropped packet detection for BUFFER_UNDERFLOW status

…lback to SSLEngine for detection of ticket received

… error state is not fatal

cconlon self-assigned this Feb 14, 2025

cconlon force-pushed the dtls branch 2 times, most recently from 13288e4 to 61fa093 Compare February 15, 2025 00:14

cconlon added 6 commits February 17, 2025 10:53

JNI: add DTLS 1.3 to JNI-only layer

36a1057

JSSE: add initial SSLEngine support for DTLSv1.3

372ef97

JNI/JSSE: wrap wolfSSL_DisableExtendedMasterSecret(), add support for…

b00f14e

… System property jdk.tls.useExtendedMasterSecret

JSSE: wait for wolfSSL_connect/accept() to return success before seei…

c373b6b

…ng WolfSSLEngine handshakeFinished to true

JNI/JSSE: wrap wolfSSL_send_hrr_cookie() in WolfSSLSession.sendHrrCoo…

e82f837

…kie(), enable HelloRetryRequest in SSLEngine DTLS

JNI/JSSE: wrap wolfSSL_dtls_get_drop_stats() for use in WolfSSLEngine…

bda5d81

… DTLS dropped packet detection for BUFFER_UNDERFLOW status

cconlon force-pushed the dtls branch 2 times, most recently from 6399a7b to 5f10363 Compare February 17, 2025 22:32

cconlon added 4 commits February 17, 2025 15:40

JSSE: add DTLSv1.3 tests to SSLEngine JUnit test class

8dfd9ae

JNI: skip throwing Java exceptions from NativeLoggingCallback

d245630

JNI/JSSE: wrap wolfSSL_set_SessionTicket_cb(), add session ticket cal…

8449b67

…lback to SSLEngine for detection of ticket received

JSSE: fix SSLEngine client session storage, store when WolfSSLSession…

5d37d5c

… error state is not fatal

cconlon force-pushed the dtls branch from 5f10363 to 5d37d5c Compare February 17, 2025 22:42

cconlon mentioned this pull request Feb 20, 2025

Enable DTLS 1.3 by default in --enable-jni build wolfSSL/wolfssl#8481

Merged

4 tasks

cconlon assigned JacobBarthelmeh and wolfSSL-Bot and unassigned cconlon Feb 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for DTLS 1.3 (`DTLSv1.3`) through `SSLContext` / `SSLEngine` #254

Add support for DTLS 1.3 (`DTLSv1.3`) through `SSLContext` / `SSLEngine` #254

cconlon commented Feb 14, 2025 •

edited

Loading

Add support for DTLS 1.3 (DTLSv1.3) through SSLContext / SSLEngine #254

Are you sure you want to change the base?

Add support for DTLS 1.3 (DTLSv1.3) through SSLContext / SSLEngine #254

Conversation

cconlon commented Feb 14, 2025 • edited Loading

Add support for DTLS 1.3 (`DTLSv1.3`) through `SSLContext` / `SSLEngine` #254

Add support for DTLS 1.3 (`DTLSv1.3`) through `SSLContext` / `SSLEngine` #254

cconlon commented Feb 14, 2025 •

edited

Loading