Skip to content

fix: address DTLS 1.3 RFC 9147 conformance#147

Merged
algesten merged 5 commits into
mainfrom
fix-dtls13-rfc9147-conformance
Jun 21, 2026
Merged

fix: address DTLS 1.3 RFC 9147 conformance#147
algesten merged 5 commits into
mainfrom
fix-dtls13-rfc9147-conformance

Conversation

@algesten

@algesten algesten commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Summary

  • add DTLS 1.3 conformance integration tests for issue Several RFC 9147 (DTLS 1.3) Conformance Issues #146 feedback
  • fix KeyUpdate send-key rotation and in-flight update-request handling
  • enforce DTLS 1.3 ClientHello/ServerHello legacy field requirements and second-HRR rejection
  • ACK only handshake records, including the coalesced-datagram case covered by a unit test
  • retransmit the server final ACK for duplicate client Finished flights
  • update the wolfSSL interop dev dependency to a version with RFC 9147 legacy_session_id_echo handling

Closes #146

algesten and others added 4 commits June 21, 2026 14:12
Summary:
- defer DTLS 1.3 send-key rotation until a KeyUpdate ACK arrives
- ignore update_requested while a local KeyUpdate is already in flight
- reject non-empty DTLS 1.3 legacy_cookie values
- stop echoing DTLS 1.3 legacy_session_id values from the server
- abort the client on a second HelloRetryRequest
- add integration coverage for RFC 9147 conformance cases

Co-Authored-By: Codex <codex@openai.com>
@algesten algesten force-pushed the fix-dtls13-rfc9147-conformance branch from cb8af6e to 88a6d88 Compare June 21, 2026 12:13
@algesten algesten merged commit ae2dc72 into main Jun 21, 2026
46 checks passed
@algesten algesten deleted the fix-dtls13-rfc9147-conformance branch June 21, 2026 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Several RFC 9147 (DTLS 1.3) Conformance Issues

1 participant