wolfSSL was the first (D)TLS library to support DTLS 1.3 and continues to advance DTLS security and reliability. The 5.8.2 and 5.8.4 releases deliver focused fixes that strengthen DTLS handshakes, parsing, and stateless operation. Below are the most impactful DTLS improvements.
DTLS 1.3 Early Data in Stateless Accept (PR #9367)
Applications can now access DTLS 1.3 early data during stateless DTLS accept. This improves support for 0-RTT data and enables earlier application data processing.
Stricter DTLS Record Parsing (PR #8642)
wolfSSL now enforces that each DTLS record fits within a single datagram. This prevents ambiguous parsing on lossy or reordered networks. The legacy behavior can be re-enabled with WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS.
DTLS 1.3 Key Derivation Fix for Retransmissions (PR #8858)
Handshake retransmissions could previously cause key material to be overwritten on epoch transitions. Key derivation is now directly tied to epoch creation, preventing incorrect key usage.
Clear-Text Finished Message Handling in DTLS (PR #9205)
Handshake retransmissions could previously cause key material to be overwritten on epoch transitions. Key derivation is now directly tied to epoch creation, preventing incorrect key usage.
Clear-Text Finished Message Handling in DTLS (PR #9205)
DTLS clients now ignore unexpected clear-text Finished messages in epoch 0.
Mandatory Cookie Exchange for DTLS-SRTP (PR #9253)
DTLS-SRTP now always performs a cookie exchange. This protects initial handshakes from amplification and spoofing attacks.
DTLS 1.3 Handshake Stall Prevention (PR #8882)
Lost ACKs could previously cause DTLS 1.3 handshakes to stall. Handshake completion now waits for final ACKs, and ACKs are sent immediately on retransmission.
Correct Peer Selection with DTLS Connection IDs (PR #8848)
Stateless DTLS with Connection IDs now reliably maps packets to the correct peer.
This improves stability and correctness in multi-peer DTLS deployments.
DTLS 1.3 0-RTT Early Data Examples
New DTLS 1.3 client and server examples demonstrate 0-RTT early data usage.
These examples simplify evaluation and integration of early data support.
Better DTLS 1.3 Timeout management (PR#9259)
Now wolfSSL resets the timeout whenever it receives valid messages to avoid bad messages stalling retransmission.
wolfSSL thanks all users and testers who reported issues and helped validate these improvements. If you have questions or need assistance integrating (D)TLS into your application, please contact facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now