During our tests, we noticed that the handshake could continue if the server chooses to use a lower version of the protocol compared to the version used in earlier records through the handshake. I will try to clarify this through an example:
During the handshake, when the server sends the ServerHello message, it uses DTLS 1.2 as the record version. Now if in the following record containing the ServerHelloDone message, the server chooses to use DTLS 1.0 as the record version, the handshake continues without interruption. Although the security implications of this are unknown (or none in the case of TinyDTLS), I believe it is still good practice to abort when a version downgrade occurs. For example, OpenSSL aborts the handshake in such a scenario. An example of such a downgrade can be found in the attached PCAP file.
tinydtls-0.zip
During our tests, we noticed that the handshake could continue if the server chooses to use a lower version of the protocol compared to the version used in earlier records through the handshake. I will try to clarify this through an example:
During the handshake, when the server sends the
ServerHellomessage, it usesDTLS 1.2as the record version. Now if in the following record containing theServerHelloDonemessage, the server chooses to useDTLS 1.0as the record version, the handshake continues without interruption. Although the security implications of this are unknown (or none in the case of TinyDTLS), I believe it is still good practice to abort when a version downgrade occurs. For example, OpenSSL aborts the handshake in such a scenario. An example of such a downgrade can be found in the attached PCAP file.tinydtls-0.zip