Function esp_idf_svc::sys::mbedtls_ssl_conf_dtls_badmac_limit

source ·
pub unsafe extern "C" fn mbedtls_ssl_conf_dtls_badmac_limit(
    conf: *mut mbedtls_ssl_config,
    limit: u32,
)
Expand description

\brief Set a limit on the number of records with a bad MAC before terminating the connection. (DTLS only, no effect on TLS.) Default: 0 (disabled).

\param conf SSL configuration \param limit Limit, or 0 to disable.

\note If the limit is N, then the connection is terminated when the Nth non-authentic record is seen.

\note Records with an invalid header are not counted, only the ones going through the authentication-decryption phase.

\note This is a security trade-off related to the fact that it’s often relatively easy for an active attacker to inject UDP datagrams. On one hand, setting a low limit here makes it easier for such an attacker to forcibly terminated a connection. On the other hand, a high limit or no limit might make us waste resources checking authentication on many bogus packets.