diff --git a/doc/connectivity/networking/api/lwm2m.rst b/doc/connectivity/networking/api/lwm2m.rst index 8a36adf8860..3baa4516c5d 100644 --- a/doc/connectivity/networking/api/lwm2m.rst +++ b/doc/connectivity/networking/api/lwm2m.rst @@ -404,6 +404,11 @@ NoSec In all modes, Server URI resource (ID 0) must contain the full URI for the target server. When DNS names are used, the DNS resolver must be enabled. +When DTLS is used, following options are recommended to reduce DTLS handshake traffic when connection is re-established: + +* :kconfig:option:`CONFIG_LWM2M_DTLS_CID` enables DTLS Connection Identifier support. When server supports it, this completely removes the handshake when device resumes operation after long idle period. Greatly helps when NAT mappings have timed out. +* :kconfig:option:`CONFIG_LWM2M_TLS_SESSION_CACHING` uses session cache when before falling back to full DTLS handshake. Reduces few packets from handshake, when session is still cached on server side. Most significant effect is to avoid full registration. + LwM2M stack provides callbacks in the :c:struct:`lwm2m_ctx` structure. They are used to feed keys from the LwM2M security object into the TLS credential subsystem. By default, these callbacks can be left as NULL pointers, in which case default callbacks are used. diff --git a/samples/net/lwm2m_client/overlay-dtls.conf b/samples/net/lwm2m_client/overlay-dtls.conf index d9cf838ddc5..930230d8ba4 100644 --- a/samples/net/lwm2m_client/overlay-dtls.conf +++ b/samples/net/lwm2m_client/overlay-dtls.conf @@ -1,9 +1,12 @@ +# Enable DTLS with Connection Identifier CONFIG_LWM2M_DTLS_SUPPORT=y +CONFIG_LWM2M_DTLS_CID=y CONFIG_LWM2M_PEER_PORT=5684 # Select Zephyr mbedtls CONFIG_MBEDTLS=y CONFIG_MBEDTLS_TLS_VERSION_1_2=y +CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y # Special MbedTLS changes CONFIG_MBEDTLS_ENABLE_HEAP=y diff --git a/subsys/net/lib/lwm2m/Kconfig b/subsys/net/lib/lwm2m/Kconfig index 1f5b83f47d0..dd3c0c45618 100644 --- a/subsys/net/lib/lwm2m/Kconfig +++ b/subsys/net/lib/lwm2m/Kconfig @@ -115,6 +115,13 @@ config LWM2M_TLS_SESSION_CACHING help Enabling this only when feature is supported in TLS library. +config LWM2M_DTLS_CID + bool "DTLS Connection Identifier support" + default y if MBEDTLS_SSL_DTLS_CONNECTION_ID + help + Request TLS stack to enable DTLS Connection identifier. This requires stack that support it + and actual effect depends on the target server as well. + config LWM2M_RD_CLIENT_SUPPORT_BOOTSTRAP bool "Bootstrap support" help diff --git a/subsys/net/lib/lwm2m/lwm2m_engine.c b/subsys/net/lib/lwm2m/lwm2m_engine.c index befc8826e0c..8fceecf9335 100644 --- a/subsys/net/lib/lwm2m/lwm2m_engine.c +++ b/subsys/net/lib/lwm2m/lwm2m_engine.c @@ -987,6 +987,18 @@ int lwm2m_set_default_sockopt(struct lwm2m_ctx *ctx) return ret; } } + if (IS_ENABLED(CONFIG_LWM2M_DTLS_CID)) { + /* Enable CID */ + int cid = TLS_DTLS_CID_ENABLED; + + ret = zsock_setsockopt(ctx->sock_fd, SOL_TLS, TLS_DTLS_CID, &cid, + sizeof(cid)); + if (ret) { + ret = -errno; + LOG_ERR("Failed to enable TLS_DTLS_CID: %d", ret); + /* Not fatal, continue. */ + } + } if (ctx->hostname_verify && (ctx->desthostname != NULL)) { /** store character at len position */