1

(2 replies, posted in wolfSSL)

Those DTLS samples are bit weird BTW. There are some rather weird comments/functionality there. For example, server-dtls-threaded stores received packet in args->b, does nothing with it, and then calls SSL_accept on the new fd + SSL_read later to write over it tongue

I would like to see one that is non-blocking, and really handles multiple clients in parallel. (The 'non-blocking' example server does not.)

The lack of DTLSv1_listen equivalent makes doing one rather awkward (I assume you have to start new SSL instances before cookie exchange completes, making it bit less DoS resistant).

P.S. The (default) DTLS cookie generation seems to be somewhat insecure too, as it uses only remote address, and no random material at all. Therefore, you can precompute the results and do DoS attacks if you know the remote implementation is wolfSSL embedded SSL.