mbedtls学习(12)DTLS
概述
DTLS(Datagram Transport Layer Security)是运行在UDP之上的安全通讯协议,大部分和TLS是一样的,只是针对UDP在不可靠传输问题增加了新特性,用来解决UDP传输的报文乱序和报文丢失等问题,DTLS主要通过下面方法来解决
- 禁止密码流,避免记录层报文前后关联
- 在记录层增加计数值和序列号字段,用于排序和数据确认
- 在握手子协议中加入重传机制,防止握手过程中报文丢失
- 在握手子协议中加入序列号,保证握手报文顺序正确
- 在握手协议中增加偏移量(fragment_offset)和帧长度(fragment_length)字段,IP层会在报文长度大于1500分片,用这2个字段重组
DTLS握手协议变化
- 防止DDos攻击
握手子协议中加入HelloVerifyRequest,服务器收到ClientHello后将会为客户端分配一个cookie,并把这个cookie包含在HelloVerifyRequest中,客户端在收到带有cookie的ClientHello后,需要重新发ClientHello。如果服务器在短时间内收到某个IP重复报文则会丢弃。
mbedtls DTLS例子
DTLS加入了超时重传机制,所以需要注册设置定时器和获得定时器接口,这个例子不是加载X.509证书派发密钥,而是采用PSK密钥交换。
/* mbed TLS feature support */
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 启用PSK密钥协商方案
#define MBEDTLS_SSL_PROTO_TLS1_2 选择TLS1.2
#define MBEDTLS_SSL_PROTO_DTLS 启用DTLS
/* mbed TLS modules */
#define MBEDTLS_AES_C
#define MBEDTLS_CCM_C
#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_MD_C
#define MBEDTLS_SHA256_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_TLS_C 启用TLS/SSL功能
#define MBEDTLS_AES_ROM_TABLES
/* Save some RAM by adjusting to your exact needs */
#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */
/*
* You should adjust this to the exact number of sources you're using: default
* is the "platform_entropy_poll" source, but you may want to add other ones
* Minimum is 2 for the entropy test suite.
*/
#define MBEDTLS_ENTROPY_MAX_SOURCES 2
/*
* Use only CCM_8 ciphersuites, and
* save ROM and a few bytes of RAM by specifying our own ciphersuite list
*/
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
/*
* Save RAM at the expense of interoperability: do this only if you control
* both ends of the connection! (See comments in "mbedtls/ssl.h".)
* The optimal size here depends on the typical size of records.
*/
#define MBEDTLS_SSL_MAX_CONTENT_LEN 4096 TLS缓存区,这个可以极大减少TLS占用RAM
#include