CODEWITHSUNDEEP
javasslhandshakecalifornium
Long
Long

Reputation: 85

Disable the handshake for Java Californium Coap client/server

Currently I have a Coap server that processed request from IOT devices. It does handshake, validates certificate, identity.... before processing every request.

Now, in other to optimize the battery for device, I need to have another non-secure Coap server that support for non-secure request, checking there's an update on server. If there is, then device will call to original Coap server to fetch the changes, otherwise it won't make any call.

But now Im stucking with how to disable the handshake for Coap server. Even if I do this on server:

setDefaultHandshakeMode(DtlsEndpointContext.HANDSHAKE_MODE_NONE)

It still showing that handshake happen:

handshake completed dtls-con: CID=A7FA63DBD32D, 127.0.0.1:64164, session established AA322905DB17, is alive

This is the code that established the Coap server:

CoapServer server = new CoapServer();
        int port = config.getInt(NetworkConfig.Keys.COAP_SECURE_PORT);

        for (InetAddress addr : NetworkInterfacesUtil.getNetworkInterfaces()) {
            // only binds to IPv4 addresses and localhost
            if (addr instanceof Inet4Address || addr.isLoopbackAddress()) {
                log.debug("Creating DTLS connector");
                Connector dtlsConnector = createDtlsConnector(addr, port);
                log.debug("DTLS connector created");

                server.addEndpoint(new CoapEndpoint.Builder()
                        .setNetworkConfig(config)
                        .setConnector(dtlsConnector)
                        .build());
            }
        }

and

private DTLSConnector createDtlsConnector(InetAddress addr, int port) {
        try (InputStream ksStream = properties.getSsl().getKeyStore().getInputStream();
             InputStream tsStream = properties.getSsl().getTrustStore().getInputStream()) {
            KeyStore keyStore = KeyStore.getInstance(properties.getSsl().getKeyStoreType());
            keyStore.load(ksStream, properties.getSsl().getKeyStorePassword().toCharArray());
            KeyStore trustStore = KeyStore.getInstance(properties.getSsl().getTrustStoreType());
            trustStore.load(tsStream, properties.getSsl().getTrustStorePassword().toCharArray());

            // Load certificates from the trust storage
            log.debug("Load certificates from birth trust list");
            loadTrustedCertificates(birthTrustList, trustStore,
                    properties.getSsl().getTrustBirthCaAlias());

            log.debug("Load certificates from trust list");
            loadTrustedCertificates(trustList, trustStore,
                    properties.getSsl().getTrustPlateCaAlias());
            trustList.addAll(birthTrustList);

            log.debug("Setting binding address");
            InetSocketAddress bindToAddress = new InetSocketAddress(addr, port);
            DtlsConnectorConfig.Builder builder = new DtlsConnectorConfig.Builder();
            builder.setAddress(bindToAddress);

            log.debug("Setting certificate identity provider");
            builder.setCertificateIdentityProvider(new SingleCertificateProvider((PrivateKey) keyStore.getKey(
                    properties.getSsl().getKeyServerCertAlias(),
                    properties.getSsl().getKeyStorePassword().toCharArray()),
                    keyStore.getCertificateChain(properties.getSsl().getKeyServerCertAlias()),
                    (List<CertificateType>) null));
            if (staticNewAdvancedCertificateVerifier == null) {
                staticNewAdvancedCertificateVerifier = (StaticNewAdvancedCertificateVerifier) StaticNewAdvancedCertificateVerifier
                        .builder()
                        .setTrustedCertificates(trustList.toArray(new Certificate[0])).build();
            }
            builder.setAdvancedCertificateVerifier(staticNewAdvancedCertificateVerifier);
            builder.setClientAuthenticationRequired(false);
            builder.setRetransmissionTimeout(properties.getDtlsRetransmissionTimeout());
            builder.setMaxTransmissionUnit(properties.getMtu());
//            builder.setDefaultHandshakeMode(DtlsEndpointContext.HANDSHAKE_MODE_NONE); This line didn't make any different
            log.debug("Returning DTLSConnector");
            return new DTLSConnector(builder.build());
        } catch (GeneralSecurityException | IOException e) {
            log.error("Could not load the keystore", e);
            throw new CoapException(CoapError.COAP_SERVER_CONFIGURATION_ERROR, "Unable to load the keystore");
        }
    }
'''

Upvotes: 0

Views: 38

Answers (1)

Achim Kraus
Achim Kraus

Reputation: 849

To save your battery, you don't need to drop encryption.

RFC9146 DTLS 1.2 CID helps you to still have encryption without the overhead using too frequently handshakes.

You may check my zephyr demo-client and Californium's CoAP-S3-Proxy to gather some own experience.

If you really don't want to use encryption, just use the port 5683 for plain CoAP without DTLS.

Upvotes: 0

Related Questions