Using DTLS enabled CoAP command line clients

4 Apr

A couple of embedded operating systems are paired with examples for CoAP server and client communication. Because the normal network security features in e.g. 6LowPAN aren’t adequate enough it makes sense to additionally encrypt every data transfer inside and also outside of the network.

When it comes to IoT devices energy consumption is often the most costly factor. Sending more messages takes more time which again uses more energy as those embedded systems have a quite high energy consumption when it comes to sending data (compared to receiving or the consumption used by the IC). Therefore it is not wise to make transfers based on TCP and rather use UDP as a protocol. To secure UDP messages DTLS was introduced. You can find out more about DTLS in the RFC 6347. A often used open source library that is suited for embedded devices is tinyDTLS.

While checking through CoAP clients and proxys that support DTLS I found only two clients that match my criteria: DTLS based on PSK. As I don’t want to spend a lot of time implementing certificate handling in the already existing examples I rather stick to the already existing Pre-Shared-Key (PSK) examples.

Note: When giving an URI to a client remember to put coaps:// instead of coap:// in front of it to trigger DTLS encryption. The non-secure CoAP server port is 5683 while the secure port is 5684.


Californium is sponsored and hosted by Eclipse and uses Java. To build the client you need to check out the tools repository and use maven to build the client:

apt-get install maven
git clone
mvn clean install
cp target/cf-client-<version>.jar ../run

To run the client and use PSK just execute the following.

cd ../run
java -jar cf-client-1.1.0-SNAPSHOT.jar -psk GET coaps://[::1]/time

I’m running the coap-server from libcoap for this GET request which delivers this console output:

DTLS handshake jibber jabber
==[ CoAP Response]============================================
MID    : 419
Token  : b7bbb76e4f84b236
Type   : ACK
Status : 2.05
Options: {"Content-Format":"text/plain", "Max-Age":1}
Payload: 15 Bytes
Apr 04 15:34:13
Time elapsed (ms): 122

This has also been documented here as I used it to access a 6lbr demo server.


libcoap is a widely used coap library which e.g. has also been integrated into Contiki and RIOT OS. It is fully compliant to the CoAP RFC 7252 and Olaf Bergmann also integrated tinyDTLS on a second branch called dtls.

To build the library and examples do the following:

git clone
git checkout dtls
git submodule update --init --recursive
./configure --disable-documentation --disable-shared

The example client and server are placed in the examples directory. Open two separate terminals and execute the server first:

./coap-client -m GET -u "Client_identity" -k "secretPSK" coaps://[::1]/time
v:1 t:CON c:GET i:0ee2 {} [ ]
decrypt_verify(): found 24 bytes cleartext
decrypt_verify(): found 23 bytes cleartext
Apr 04 15:37:37

Thanks for the help to build these examples.


Leave a Reply

Your email address will not be published. Required fields are marked *