Is there a way to specify a DTLS session id on Networking framework connections?

Setting and working with the TLS session ID directly is handled by the lower level system frameworks such libnetwork and libboringssl to ensure consistent session handling and reuse based upon the version of TLS your connection is using. The parameters available to set on the TLS session are out in sec_protocol_options_t for the configuration on options like cipher suites, ALPN, and psk etc...

Is there a reason that you need to access the session id directly outside of how libnetwork and libboringssl delegate this for you?

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Hi Matt,

I'm implementing a VPN client for the OpenConnect VPN server. The protocol requires creating a TCP connection for the initial handshake and configuration and a secondary UDP connection for sending packets. The client receives an id from the TCP connection and is required to set it as the TLS session id on the UDP connection. The server uses this to associate the two connections as being from the same client.

If there's no way to set the TLS session id using the Network framework, I'm going to have to resort to using OpenSSL and sockets :-(. I'd much rather rely on Apple's DTLS implementation than using a third party which may have bugs and/or security vulnerabilities.

Thank you.

Instead of using the id obtained from the TCP connection for the TLS session id, could you generate a pre-shared key that could be set with NWProtocolTLS.Options() instead?

Take a look at NWProtocolTLS.Options() and the sec_protocol_options_add_pre_shared_key method to see if this would be an option for the server to identify the client connection?

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Unfortunately that's not an option for us. The OpenConnect VPN server is open source so although it is technically possible to create a custom version of the server, the client needs to work with the out-of-the-box OpenConnect server.

Thank you.