How to get debug output from `openssl s_server` when (PSK-only DTLS) handshake fails?
We have tested our DTLS client using the openssl s_server program from OpenSSL 3.2.1. The handshake failed because we used the wrong PSK on the client. To our surprise, the server neither responded with a TLS Alert message nor did it show any meaningful debug output.
We have started the server with the following command:
openssl s_server -dtls -psk 01020304 -psk_identity dtls-psk-test -nocert -port 12345 -cipher TLS_PSK_WITH_AES_128_CCM -status_verbose -security_debug -security_debug_verbose -state
Using the -status_verbose -security_debug -security_debug_verbose -state flags, I would assume any debug output which should give a hint that the verification of the handshake Finished message failed. But instead, the server just stops responding.
Concretely, the server output looks as follows:
Using default temp DH parameters
ACCEPT
Security callback: Version=???: yes
Security callback: Version=???: yes
Security callback: Version=DTLS 1.0: no
Security callback: Version=DTLS 1.0 (bad): no
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:DTLS1 write hello verify request
SSL_accept:DTLS1 write hello verify request
Security callback: Version=???: yes
Security callback: : yes
Security callback: Supported Signature Algorithm scheme=rsa_pkcs1_sha1, security bits=64: no
Security callback: Supported Signature Algorithm digest=SHA1, algorithm=DSA, security bits=64: no
Security callback: Supported Signature Algorithm scheme=ecdsa_sha1, security bits=64: no
Security callback: Shared Ciphersuite=PSK-AES128-CCM, security bits=128: yes
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS read client key exchange
Afterwards, the client times out at some point, the server gives no indication at all that something went wrong and just times out after a relatively long time (around 5 min).
How could we get the server to send a TLS Alert message and/or show debug output which shows what went wrong?
