DTLS session resumption; frequent "Can't interleave application and handshake data" errors

[oviano]

When my DTLS client connects to the server over a certain distance/latency (around 100-200ms latency) I have found the above error occurs a lot, but only when session resumption is enabled and not always. It can go through periods where repeated handshakes fail in this manner, and other times when it works just fine.

With session resumption disabled (by overriding tls_should_persist_resumption_information to return false), the issue apparently disappears completely, and the full handshake succeeds.

At first I thought I was simply seeing this issue #2498 but it turns out on closer inspection that neither the client or server are retransmitting anything during these failed handshakes.

Both client and server use the Botan DTLS implementation from version 3.6.1.

[oviano]

Logging observed on the client during these failures:

2025-03-26 17:53:28.723070Z TLS_CALLBACKS: Handshake message (client_hello )
2025-03-26 17:53:28.834143Z TLS_CALLBACKS: Handshake message (server_hello )
2025-03-26 17:53:28.834785Z TLS_CALLBACKS: Handshake message (finished )
2025-03-26 17:53:28.834950Z TLS_CALLBACKS: Handshake message (finished )
2025-03-26 17:53:28.835003Z TLS_CALLBACKS: Started TLS session (version DTLS v1.2, ciphersuite ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, was_resumption true)
2025-03-26 17:53:28.835029Z TLS_CALLBACKS: Updated TLS resumption information
2025-03-26 17:53:28.837724Z TLS_CALLBACKS: Activated TLS session

...and the corresponding server logging...

26/03/25 20:53:28.847891 [default] DEBUG : TLS_CALLBACKS: Handshake message (client_hello )
26/03/25 20:53:28.848153 [default] DEBUG : TLS_CALLBACKS: Handshake message (server_hello )
26/03/25 20:53:28.848225 [default] DEBUG : TLS_CALLBACKS: Started TLS session (version DTLS v1.2, ciphersuite ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, was_resumption true)
26/03/25 20:53:28.848247 [default] DEBUG : TLS_CALLBACKS: Updated TLS resumption information
26/03/25 20:53:28.848385 [default] DEBUG : TLS_CALLBACKS: Handshake message (finished )
26/03/25 20:53:28.961247 [default] ERROR : ASIO_CONNECTION::SYS: Error receiving TLS (Can't interleave application and handshake data)

[oviano]

Ok here is some more detailed log, basically dumping the contents of the DTLS headers on both client and server in the order they are sent and received:

First the client:

--------------------------------------------------
SENDING DTLS DATA
--------------------------------------------------
DTLS Record Header
16fefd00000000000000000161
Message Type    : Handshake
Protocol Version: 65022
epoch           : 0
Sequence Number : 0
Length          : 353
--------------------------------------------------
--------------------------------------------------
RECEIVING TLS DATA
--------------------------------------------------
DTLS Record Header
16fefd00000000000000000063
Message Type    : Handshake
Protocol Version: 65022
epoch           : 0
Sequence Number : 0
Length          : 99
--------------------------------------------------
--------------------------------------------------
RECEIVING TLS DATA
--------------------------------------------------
DTLS Record Header
14fefd00000000000000010001
Message Type    : ChangeCipherSpec
Protocol Version: 65022
epoch           : 0
Sequence Number : 1
Length          : 1
--------------------------------------------------
--------------------------------------------------
RECEIVING TLS DATA
--------------------------------------------------
DTLS Record Header
16fefd00010000000000000030
Message Type    : Handshake
Protocol Version: 65022
epoch           : 1
Sequence Number : 0
Length          : 48
--------------------------------------------------
TLS_CALLBACKS: Started TLS session (version DTLS v1.2, ciphersuite ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, was_resumption true)
TLS_CALLBACKS: Updated TLS resumption information
TLS_CALLBACKS: Activated TLS session
--------------------------------------------------
SENDING DTLS DATA
--------------------------------------------------
DTLS Record Header
14fefd00000000000000010001
Message Type    : ChangeCipherSpec
Protocol Version: 65022
epoch           : 0
Sequence Number : 1
Length          : 1
--------------------------------------------------
--------------------------------------------------
SENDING DTLS DATA
--------------------------------------------------
DTLS Record Header
16fefd00010000000000000030
Message Type    : Handshake
Protocol Version: 65022
epoch           : 1
Sequence Number : 0
Length          : 48
--------------------------------------------------
--------------------------------------------------
SENDING DTLS DATA
--------------------------------------------------
DTLS Record Header
17fefd00010000000000010021
Message Type    : Application Data
Protocol Version: 65022
epoch           : 1
Sequence Number : 1
Length          : 33
--------------------------------------------------
--------------------------------------------------
SENDING DTLS DATA
--------------------------------------------------
DTLS Record Header
17fefd00010000000000020021
Message Type    : Application Data
Protocol Version: 65022
epoch           : 1
Sequence Number : 2
Length          : 33
--------------------------------------------------

...and the server:

26/03/25 22:09:35.199369 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.199393 [default] DEBUG : RECEIVING TLS DATA
26/03/25 22:09:35.199405 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.199418 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.199433 [default] DEBUG : 16fefd00000000000000000161
26/03/25 22:09:35.199445 [default] DEBUG : Message Type    : Handshake
26/03/25 22:09:35.199456 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.199467 [default] DEBUG : epoch           : 0
26/03/25 22:09:35.199477 [default] DEBUG : Sequence Number : 0
26/03/25 22:09:35.199487 [default] DEBUG : Length          : 353
26/03/25 22:09:35.199503 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.199870 [default] DEBUG : TLS_CALLBACKS: Started TLS session (version DTLS v1.2, ciphersuite ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, was_resumption true)
26/03/25 22:09:35.199906 [default] DEBUG : TLS_CALLBACKS: Updated TLS resumption information
26/03/25 22:09:35.200043 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200071 [default] DEBUG : SENDING DTLS DATA
26/03/25 22:09:35.200085 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200097 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.200111 [default] DEBUG : 16fefd00000000000000000063
26/03/25 22:09:35.200123 [default] DEBUG : Message Type    : Handshake
26/03/25 22:09:35.200134 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.200144 [default] DEBUG : epoch           : 0
26/03/25 22:09:35.200154 [default] DEBUG : Sequence Number : 0
26/03/25 22:09:35.200165 [default] DEBUG : Length          : 99
26/03/25 22:09:35.200175 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200195 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200206 [default] DEBUG : SENDING DTLS DATA
26/03/25 22:09:35.200217 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200226 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.200238 [default] DEBUG : 14fefd00000000000000010001
26/03/25 22:09:35.200249 [default] DEBUG : Message Type    : ChangeCipherSpec
26/03/25 22:09:35.200261 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.200281 [default] DEBUG : epoch           : 0
26/03/25 22:09:35.200303 [default] DEBUG : Sequence Number : 1
26/03/25 22:09:35.200324 [default] DEBUG : Length          : 1
26/03/25 22:09:35.200343 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200373 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200394 [default] DEBUG : SENDING DTLS DATA
26/03/25 22:09:35.200413 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.200434 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.200456 [default] DEBUG : 16fefd00010000000000000030
26/03/25 22:09:35.200477 [default] DEBUG : Message Type    : Handshake
26/03/25 22:09:35.200497 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.200518 [default] DEBUG : epoch           : 1
26/03/25 22:09:35.200539 [default] DEBUG : Sequence Number : 0
26/03/25 22:09:35.200563 [default] DEBUG : Length          : 48
26/03/25 22:09:35.200583 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.313568 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.313641 [default] DEBUG : RECEIVING TLS DATA
26/03/25 22:09:35.313664 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.313681 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.313706 [default] DEBUG : 16fefd00010000000000000030
26/03/25 22:09:35.313740 [default] DEBUG : Message Type    : Handshake
26/03/25 22:09:35.313771 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.313803 [default] DEBUG : epoch           : 1
26/03/25 22:09:35.313834 [default] DEBUG : Sequence Number : 0
26/03/25 22:09:35.313867 [default] DEBUG : Length          : 48
26/03/25 22:09:35.313900 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314056 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314098 [default] DEBUG : RECEIVING TLS DATA
26/03/25 22:09:35.314133 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314177 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.314209 [default] DEBUG : 17fefd00010000000000010021
26/03/25 22:09:35.314237 [default] DEBUG : Message Type    : Application Data
26/03/25 22:09:35.314266 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.314300 [default] DEBUG : epoch           : 1
26/03/25 22:09:35.314327 [default] DEBUG : Sequence Number : 1
26/03/25 22:09:35.314356 [default] DEBUG : Length          : 33
26/03/25 22:09:35.314387 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314479 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314516 [default] DEBUG : RECEIVING TLS DATA
26/03/25 22:09:35.314573 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:35.314608 [default] DEBUG : DTLS Record Header
26/03/25 22:09:35.314641 [default] DEBUG : 14fefd00000000000000010001
26/03/25 22:09:35.314673 [default] DEBUG : Message Type    : ChangeCipherSpec
26/03/25 22:09:35.314703 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:35.314729 [default] DEBUG : epoch           : 0
26/03/25 22:09:35.314758 [default] DEBUG : Sequence Number : 1
26/03/25 22:09:35.314792 [default] DEBUG : Length          : 1
26/03/25 22:09:35.314822 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:36.227456 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:36.227530 [default] DEBUG : RECEIVING TLS DATA
26/03/25 22:09:36.227557 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:36.227575 [default] DEBUG : DTLS Record Header
26/03/25 22:09:36.227596 [default] DEBUG : 17fefd00010000000000020021
26/03/25 22:09:36.227612 [default] DEBUG : Message Type    : Application Data
26/03/25 22:09:36.227630 [default] DEBUG : Protocol Version: 65022
26/03/25 22:09:36.227647 [default] DEBUG : epoch           : 1
26/03/25 22:09:36.227664 [default] DEBUG : Sequence Number : 2
26/03/25 22:09:36.227679 [default] DEBUG : Length          : 33
26/03/25 22:09:36.227694 [default] DEBUG : --------------------------------------------------
26/03/25 22:09:36.227978 [default] ERROR : ASIO_CONNECTION::SYS: Error receiving TLS (Can't interleave application and handshake data)

As I think can be seen; after the client considers the TLS session activated, it sends ChangeCipherSpec, Handshake and Application Data.

The server receives these in the order Handshake, Application Data, ChangeCipherSpec.

The next Application Data received by the server then trips things up.

Does this help?

[oviano]

I thought a workaround might be to drop application data received before the active state is set (for UDP only) but it still falls apart if the server receives Handshake before ChangeCipherSpec.

Even if the server receives both those packets, but in the wrong order, the DTLS session is not activated. It seems it needs ChangeCipherSpec and then Handshake before it will activate the state.

What happens after that is the server periodically re-sends Handshake, ChangeCipherSpec and Handshake (as part of timeout_check()) but the client does not seem to care about these messages (because its state is activated?) and does not send any replies....so nothing progresses.