From 272a1aa1b165e095d3bbcec7daef5f3c68e0f0d5 Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Wed, 11 Dec 2024 18:23:15 +0200
Subject: [PATCH 1/6] coaps: x509 - dtls add: DTLS_MAX_FRAGMENT_LENGTH,
 DTLS_MAX_TRANSMISSION_UNIT

---
 .../src/main/resources/thingsboard.yml        |  4 +++
 .../server/coapserver/TbCoapDtlsSettings.java | 28 +++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml
index f642d7fea5..5b53339346 100644
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@@ -1302,6 +1302,10 @@ coap:
     # - A value between 0 and <= 4: SingleNodeConnectionIdGenerator is used
     # - A value that are > 4: MultiNodeConnectionIdGenerator is used
     connection_id_length: "${COAP_DTLS_CONNECTION_ID_LENGTH:}"
+    # Specify the MTU (Maximum Transmission Unit).
+    max_transmission_unit: "${COAP_DTLS_MAX_TRANSMISSION_UNIT:1024}"
+    # DTLS maximum fragment length (RFC 6066)
+    max_fragment_length: "${COAP_DTLS_MAX_FRAGMENT_LENGTH:1024}"
     # Server DTLS credentials
     credentials:
       # Server credentials type (PEM - pem certificate file; KEYSTORE - java keystore)
diff --git a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
index f83a20b139..9d3f191f48 100644
--- a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
+++ b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
@@ -21,6 +21,7 @@ import org.eclipse.californium.elements.config.Configuration;
 import org.eclipse.californium.elements.util.SslContextUtil;
 import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
 import org.eclipse.californium.scandium.dtls.CertificateType;
+import org.eclipse.californium.scandium.dtls.MaxFragmentLengthExtension.Length;
 import org.eclipse.californium.scandium.dtls.x509.SingleCertificateProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -44,6 +45,8 @@ import static org.eclipse.californium.elements.config.CertificateAuthenticationM
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_CLIENT_AUTHENTICATION_MODE;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_CONNECTION_ID_LENGTH;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_CONNECTION_ID_NODE_ID;
+import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_MAX_FRAGMENT_LENGTH;
+import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_MAX_TRANSMISSION_UNIT;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RETRANSMISSION_TIMEOUT;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_ROLE;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DtlsRole.SERVER_ONLY;
@@ -66,6 +69,12 @@ public class TbCoapDtlsSettings {
     @Value("${coap.dtls.connection_id_length:}")
     private Integer cIdLength;
 
+    @Value("${coap.dtls.max_transmission_unit:}")
+    private Integer maxTransmissionUnit;
+
+    @Value("${coap.dtls.max_fragment_length:}")
+    private Integer maxFragmentLength;
+
     @Bean
     @ConfigurationProperties(prefix = "coap.dtls.credentials")
     public SslCredentialsConfig coapDtlsCredentials() {
@@ -108,6 +117,15 @@ public class TbCoapDtlsSettings {
                 configBuilder.set(DTLS_CONNECTION_ID_NODE_ID, null);
             }
         }
+        if (maxTransmissionUnit != null) {
+            configBuilder.set(DTLS_MAX_TRANSMISSION_UNIT, maxTransmissionUnit);
+        }
+        if (maxFragmentLength != null) {
+            Length length = fromLength(maxFragmentLength);
+            if (length != null) {
+                configBuilder.set(DTLS_MAX_FRAGMENT_LENGTH, fromLength(maxFragmentLength));
+            }
+        }
         configBuilder.setAdvancedCertificateVerifier(
                 new TbCoapDtlsCertificateVerifier(
                         transportService,
@@ -127,4 +145,14 @@ public class TbCoapDtlsSettings {
         return new InetSocketAddress(addr, port);
     }
 
+
+    private static Length fromLength(int length) {
+        for (Length l : Length.values()) {
+            if (l.length() == length) {
+                return l;
+            }
+        }
+        return null;
+    }
 }
+

From 19e0c11b6912dfac2f0b552179ae393eaf51fbf7 Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Thu, 12 Dec 2024 11:52:48 +0200
Subject: [PATCH 2/6] coaps: x509 - dtls add: DTLS_MAX_FRAGMENT_LENGTH,
 DTLS_MAX_TRANSMISSION_UNIT add to microservice

---
 transport/coap/src/main/resources/tb-coap-transport.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/transport/coap/src/main/resources/tb-coap-transport.yml b/transport/coap/src/main/resources/tb-coap-transport.yml
index 2c1c0550e1..865b85c985 100644
--- a/transport/coap/src/main/resources/tb-coap-transport.yml
+++ b/transport/coap/src/main/resources/tb-coap-transport.yml
@@ -198,6 +198,10 @@ coap:
     # - A value between 0 and <= 4: SingleNodeConnectionIdGenerator is used
     # - A value that are > 4: MultiNodeConnectionIdGenerator is used
     connection_id_length: "${COAP_DTLS_CONNECTION_ID_LENGTH:}"
+    # Specify the MTU (Maximum Transmission Unit).
+    max_transmission_unit: "${COAP_DTLS_MAX_TRANSMISSION_UNIT:1024}"
+    # DTLS maximum fragment length (RFC 6066)
+    max_fragment_length: "${COAP_DTLS_MAX_FRAGMENT_LENGTH:1024}"
     # Server DTLS credentials
     credentials:
       # Server credentials type (PEM - pem certificate file; KEYSTORE - java keystore)

From dc316ec10dcc035e6fadbcf6977a6415ad79ba3f Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Thu, 12 Dec 2024 17:38:08 +0200
Subject: [PATCH 3/6] coaps: x509 - dtls reuse length variable

---
 .../org/thingsboard/server/coapserver/TbCoapDtlsSettings.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
index 9d3f191f48..6ebc54323d 100644
--- a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
+++ b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
@@ -123,7 +123,7 @@ public class TbCoapDtlsSettings {
         if (maxFragmentLength != null) {
             Length length = fromLength(maxFragmentLength);
             if (length != null) {
-                configBuilder.set(DTLS_MAX_FRAGMENT_LENGTH, fromLength(maxFragmentLength));
+                configBuilder.set(DTLS_MAX_FRAGMENT_LENGTH, length);
             }
         }
         configBuilder.setAdvancedCertificateVerifier(

From 4cfe7441b1ab451833d147dcf1ee283911eeb85e Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Thu, 12 Dec 2024 19:30:50 +0200
Subject: [PATCH 4/6] coaps: x509 - dtls add default values here (1024)

---
 .../org/thingsboard/server/coapserver/TbCoapDtlsSettings.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
index 6ebc54323d..063494d630 100644
--- a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
+++ b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
@@ -69,10 +69,10 @@ public class TbCoapDtlsSettings {
     @Value("${coap.dtls.connection_id_length:}")
     private Integer cIdLength;
 
-    @Value("${coap.dtls.max_transmission_unit:}")
+    @Value("${coap.dtls.max_transmission_unit:1024}")
     private Integer maxTransmissionUnit;
 
-    @Value("${coap.dtls.max_fragment_length:}")
+    @Value("${coap.dtls.max_fragment_length:1024}")
     private Integer maxFragmentLength;
 
     @Bean

From 50e69681706ddaf25e63f09b77eea789c8f9e836 Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Fri, 13 Dec 2024 12:13:11 +0200
Subject: [PATCH 5/6] coaps: x509 - dtls add default values here (1024) and in
 yml add note

---
 .../src/main/resources/thingsboard.yml        | 22 ++++++++++++++++++-
 .../server/coapserver/TbCoapDtlsSettings.java |  4 ++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml
index 5b53339346..4d69afedb2 100644
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@@ -1303,8 +1303,28 @@ coap:
     # - A value that are > 4: MultiNodeConnectionIdGenerator is used
     connection_id_length: "${COAP_DTLS_CONNECTION_ID_LENGTH:}"
     # Specify the MTU (Maximum Transmission Unit).
+    # Should be used if LAN MTU is not used, e.g. if IP tunnels are used or if the client uses a smaller value than the LAN MTU.
+    # Default = 1024
+    # Minimum value = 64
+    # If set to 0 - LAN MTU is used.
     max_transmission_unit: "${COAP_DTLS_MAX_TRANSMISSION_UNIT:1024}"
-    # DTLS maximum fragment length (RFC 6066)
+    # DTLS maximum fragment length (RFC 6066, Section 4).
+    # Default = 1024
+    # Possible values: 512, 1024, 2048, 4096.
+    # If set to 0, the default maximum fragment size of 2^14 bytes (16,384 bytes) is used.
+    # Without this extension, TLS specifies a fixed maximum plaintext fragment length of 2^14 bytes.
+    # It may be desirable for constrained clients to negotiate a smaller maximum fragment length due to memory limitations or bandwidth limitations.
+    # In order to negotiate smaller maximum fragment lengths,
+    # clients MAY include an extension of type "max_fragment_length" in the (extended) client hello.
+    # The "extension_data" field of this extension SHALL contain:
+    # enum {
+    #   2^9(1) == 512,
+    #   2^10(2) == 1024,
+    #   2^11(3) == 2048,
+    #   2^12(4) == 4096,
+    #   (255)
+    # } MaxFragmentLength;
+    # TLS already requires clients and servers to support fragmentation of handshake messages.
     max_fragment_length: "${COAP_DTLS_MAX_FRAGMENT_LENGTH:1024}"
     # Server DTLS credentials
     credentials:
diff --git a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
index 063494d630..2f0127643a 100644
--- a/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
+++ b/common/coap-server/src/main/java/org/thingsboard/server/coapserver/TbCoapDtlsSettings.java
@@ -117,10 +117,10 @@ public class TbCoapDtlsSettings {
                 configBuilder.set(DTLS_CONNECTION_ID_NODE_ID, null);
             }
         }
-        if (maxTransmissionUnit != null) {
+        if (maxTransmissionUnit > 0) {
             configBuilder.set(DTLS_MAX_TRANSMISSION_UNIT, maxTransmissionUnit);
         }
-        if (maxFragmentLength != null) {
+        if (maxFragmentLength > 0) {
             Length length = fromLength(maxFragmentLength);
             if (length != null) {
                 configBuilder.set(DTLS_MAX_FRAGMENT_LENGTH, length);

From 75e64f7f95c27d3dd9e3dcca40e012cd91f20a54 Mon Sep 17 00:00:00 2001
From: nick <nick@avalr.com.ua>
Date: Fri, 13 Dec 2024 12:18:09 +0200
Subject: [PATCH 6/6] coaps: x509 - dtls add default values here (1024) and in
 yml add note

---
 .../src/main/resources/tb-coap-transport.yml  | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/transport/coap/src/main/resources/tb-coap-transport.yml b/transport/coap/src/main/resources/tb-coap-transport.yml
index 865b85c985..0c7ff4e43e 100644
--- a/transport/coap/src/main/resources/tb-coap-transport.yml
+++ b/transport/coap/src/main/resources/tb-coap-transport.yml
@@ -199,8 +199,28 @@ coap:
     # - A value that are > 4: MultiNodeConnectionIdGenerator is used
     connection_id_length: "${COAP_DTLS_CONNECTION_ID_LENGTH:}"
     # Specify the MTU (Maximum Transmission Unit).
+    # Should be used if LAN MTU is not used, e.g. if IP tunnels are used or if the client uses a smaller value than the LAN MTU.
+    # Default = 1024
+    # Minimum value = 64
+    # If set to 0 - LAN MTU is used.
     max_transmission_unit: "${COAP_DTLS_MAX_TRANSMISSION_UNIT:1024}"
-    # DTLS maximum fragment length (RFC 6066)
+    # DTLS maximum fragment length (RFC 6066, Section 4).
+    # Default = 1024
+    # Possible values: 512, 1024, 2048, 4096.
+    # If set to 0, the default maximum fragment size of 2^14 bytes (16,384 bytes) is used.
+    # Without this extension, TLS specifies a fixed maximum plaintext fragment length of 2^14 bytes.
+    # It may be desirable for constrained clients to negotiate a smaller maximum fragment length due to memory limitations or bandwidth limitations.
+    # In order to negotiate smaller maximum fragment lengths,
+    # clients MAY include an extension of type "max_fragment_length" in the (extended) client hello.
+    # The "extension_data" field of this extension SHALL contain:
+    # enum {
+    #   2^9(1) == 512,
+    #   2^10(2) == 1024,
+    #   2^11(3) == 2048,
+    #   2^12(4) == 4096,
+    #   (255)
+    # } MaxFragmentLength;
+    # TLS already requires clients and servers to support fragmentation of handshake messages.
     max_fragment_length: "${COAP_DTLS_MAX_FRAGMENT_LENGTH:1024}"
     # Server DTLS credentials
     credentials: