DTLS connection aborts after several minutes (rekeying problem?)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

DTLS connection aborts after several minutes (rekeying problem?)

Michael Fritscher
Good day,

I'm using bouncy castle to get DTLS functionality. I first tried to use adapt the DTLS test included in the package, but it doesn't seem to
verify the certificates. So I tried https://github.com/mobius-software-ltd/java-dtls . It seems to work, but it seems to have problems with the
rekeying process - so it aborts the connections after ca. 10 minutes with medium traffic. With a GCM suite, I get "GCM cipher cannot be reused
for encryption, with CBC I get "org.bouncycastle.crypto.tls.TlsFatalAlert: bad_record_mac(20)"

Backtrace at Client:

 > org.bouncycastle.crypto.tls.TlsFatalAlert: bad_record_mac(20)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsRecordLayer.receive(AsyncDtlsRecordLayer.java:243)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsClientProtocol.receivePacket(AsyncDtlsClientProtocol.java:125)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsClientHandler.decode(AsyncDtlsClientHandler.java:49)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsClientHandler.decode(AsyncDtlsClientHandler.java:1)
 > at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
 > at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
 > at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
 > at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
 > at io.netty.channel.nio.AbstractNioMessageChannel$NioMessageUnsafe.read(AbstractNioMessageChannel.java:93)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:697)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:632)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:549)
 > at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:511)
 > at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
 > at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
 > at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
 > at java.base/java.lang.Thread.run(Thread.java:844)


Backtrace at server:

 > org.bouncycastle.crypto.tls.TlsFatalAlert: bad_record_mac(20)
 > at org.bouncycastle.crypto.tls.TlsBlockCipher.decodeCiphertext(Unknown Source)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsRecordLayer.receive(AsyncDtlsRecordLayer.java:220)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsServerProtocol.receivePacket(AsyncDtlsServerProtocol.java:409)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsServerHandler.decode(AsyncDtlsServerHandler.java:76)
 > at com.mobius.software.iot.dal.crypto.AsyncDtlsServerHandler.decode(AsyncDtlsServerHandler.java:1)
 > at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
 > at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
 > at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
 > at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
 > at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
 > at io.netty.channel.nio.AbstractNioMessageChannel$NioMessageUnsafe.read(AbstractNioMessageChannel.java:93)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:697)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:632)
 > at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:549)
 > at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:511)
 > at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
 > at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
 > at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
 > at java.base/java.lang.Thread.run(Thread.java:844)

I've also opened an issue at https://github.com/mobius-software-ltd/java-dtls/issues/1 , but I hope that you have an hint how to cope with this
problem. If you know other ways to get DTLS in Java 8 up & running I'll interested as well.

Best regards,
Michael Fritscher

--
ZfT - Zentrum für Telematik e.V.
Michael Fritscher
Magdalene-Schoch-Straße 5
97074 Würzburg
Tel: +49 (931) 615 633 - 57
Fax: +49 (931) 615 633 - 11
Email: [hidden email]
Web: http://www.telematik-zentrum.de

Vorstand:
Prof. Dr. Klaus Schilling, Prof. Dr. Andreas Nüchter,  Hans-Joachim Leistner
Sitz: Gerbrunn
USt.-ID Nr.: DE 257 244 580, Steuer-Nr.:  257/111/70203
Amtsgericht Würzburg, Vereinsregister-Nr.: VR 200 167

michael_fritscher.vcf (414 bytes) Download Attachment