Hi all, There had been a number of email threads on both the user and dev mailing lists regarding DTLS non-RFC-compliance. So, I think it is better to group them together to raise awareness and ensure interoperability with other DTLS stacks. I have verified these on snapshot-2007 08 01
1) Incorrect version number, 0x0100 is used instead of 0xFEFF. 2) When ClientHello is sent in response to HelloVerifyRequest, the random field is different from that sent in the first ClientHello (ref. Sec 4.2.1) 3) Initial ClientHello and HelloVerifyRequest are included in the signature computation for both CertificateVerify and Finished messages. (While Sec 4.2.1 states that the initial ClientHello and HelloVerifyRequest is to be excluded in the signature for Finished, it doesn't mention excluding them in the CertificateVerify. My interpretation is that they should also be excluded because a server should not keep state of the client until a ClientHello with valid cookie is received.) 4) Handshake "headers" are omitted in the signature computation in bothCertificateVerify and Finished messages. (RFC 4347 does not clearly state what is to be included. However, according to the TLS v1.1 (RFC 4346), it shall be the complete handshake message, starting from Handshake.msg_type. However, OpenSSL starts at Handshake.body) 5) ChangeCipherSpec is 2 octets longer than expected. According to the email threads, most of these problems have patches, but they were not submitted. Feel free to comment/add/delete this list. Regards, Alex
