-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS support #40
Comments
No plans at the minute. I know it's used for some VPNs, webrtc and some iot things. What is your use case? |
VPN ^^ |
Would you see DTLS within the scope of this library (i.e. would you accept pull request)? |
I am currently playing around implementing DTLS. Would it be the best to do this on the tls13 branch? |
Perhaps. I'm not sure some of the external APIs are really suitable, to the extent that it might make sense as a separate crate built from the same codebase.
Yes. Though beware that this branch is still in major churn and is overdue a serious refactoring of |
In case you are interested: https://github.com/manuels/rustls/tree/dtls12
|
Looking good! 👍 |
Ok, I figured out that the situation is a bit complex, and there are several ways to implement DTLS specific stuff. Since this decision can have quite an extensive impact on the codebase I'd like to discuss how to proceed. The ProblemDTLS requires some additional fields in Possible Solutions
|
After some time thinking about it, I think it's worth renaming the current Then all struct |
DTLS/TLSMessage sounds ok, but beware that some performance relies on Message being moved by value into the processing functions: so the traits will need to cover these cases by exposing (eg) sorry, i overlooked your earlier comment. for |
They are basically the same. The DTLS version of ClientHelloPayload just adds an optional cookie. |
Hey @ctz, I've seen in your TODO project that you are refactoring the state machine. Thanks! |
I don't have any wip branch for that yet. But I'll push one once I do and link it here. |
In case this is useful: I tried to summarize the TLS state machine a while a go: https://github.com/manuels/tls-state-machine |
A quick update. I had to refactor the TLS specific code of |
I am wondering how the user should decide which protocol to use. Either the instantiation of @ctz, do you have a comment on this? |
How about separate On the question of |
Just wondering if there has been any progress on this issue, I'm working on IoT and support for DTLS would be very handy. |
Wireguard solved my problems so far and I do not have time to work on DTLS currently. |
@manuels Do you have time to have a look at it now? I would love to see some progress on this implementation. Many IoT platforms need communication over DTLS for security. I would love to work on this, but this is way over my head. |
A DTLS implementation would be very awesome, I hope you find some time @manuels, seems like you were very close! |
It would be great to see DTLS support, is there any progress? |
Would really love to see DTLS implemented in Rustls. We need it for some WebRTC work and currently are forced to use OpenSSL. |
Some plans for this, but have been waiting for DTLS1.3. That is nearing completion now. |
Any additional thoughts or updates on this? Something we've been interested in as well and investigating options for, cc @luna-duclos |
A pure-rust DTLS implementation would be fantastic for embedded usecases. Any further updates on this? |
DTLS 1.3 looks like it is nearing completion, currently in the RFC editor's queue. Meanwhile, for some use cases maybe QUIC + its datagram extension is a decent fit? (If someone is interested in sponsoring DTLS 1.3 support, I'd be happy to connect.) |
I recently discovered https://github.com/webrtc-rs/dtls but I don't know whether it is already usable. |
Also since QUIC has progressed very well, which runs over UDP but uses TLS building blocks from the regular TCP TLS implementations, the requirement for DTLS (UDP) has ... well, diminished. |
Unfortunately, that crate seems to be very tightly fused to std. |
There are is a e2e test PR that shows it in action, but there seem to be a few structs that are missing. Not sure what is happening there. |
Folks, it's useful to have a link to that crate here but further discussion about it seems off-topic for this issue. |
My feeling is that DTLS would need a totally different public API to rustls, to the extent that it doesn't really make sense to have it in the same crate (even as a cargo feature). What I would be open to is refactoring the core crate to allow reuse of the parts common between TLS/DTLS,. What I would never want to see in the core crate is stuff like https://github.com/openssl/openssl/blob/54b40531307fcaba1206e98f4cae73f0532fbdbb/ssl/record/ssl3_buffer.c#L45-L48 -- that would seem to me to be evidence of bad architecture. As for actually making progress on this, the tlswg continue to alter the design, and I'm not sure writing a DTLS1.2-only implementation is a sensible idea at this point. The other thing I'm aware of is that DTLS and embedded use cases often come hand-in-hand, so the DTLS crate would likely have to pay more attention to the constraints this brings. |
While playing around with DTLS, I came to the conclusion that TLS and DTLS are working with two entirely different kinds of streams, and that knowledge about MTU, framing, and other items are important to a consuming DTLS (de)encryptor. Thus, I concur this has to be a different API/crate, if it means it could consume a std |
For anyone curious about this development; i'm going to attempt to create an own implementation of this, as per ruma/lb#7, taking https://github.com/pion/dtls and this library as inspiration, at https://github.com/shadowjonathan/dustls I know i'll be making mistakes, so i'm inviting people who are interested in this to help me out as well. If there are any rustls maintainers reading this; Collaboration is appreciated, once/if i get the implementation up and close to something usable, i'm offering the repo to be adopted by the rustls org, including crates.io ownership and all. I'll need recommendations on supported cipher suites, though for now it is a goal to be compatible with at least some of these cipher suites. I'll initially be executing a rough API design as described here, though obviously it's open for discussion. This is going to be v1.2-only for the moment, providing a base implementation, until v1.3 is finalised, after which i'll take a look and consider how the library's API would have to be changed in order to accommodate it (if that'd be required). Efforts are going to be here, though with me doing this in my free time, commits are going to be sporadic, help is appreciated. |
Just off-hand, I'd highly recommend not trying to wrap a |
Agreed with @Ralith, would be nice to mimic the rustls API where possible. I might try reviewing your work as you go, if you want to tag me in PRs or something. |
One of my goals is definitely to be as agnostic as possible to the underlying transport(s), only that they have to receive/send their IO in a framed fashion, and that hints like (P)MTU can be passed through.
From the rough API draft, " |
@djc @ctz I'd like to collaborate a bit more closely on this (especially with the idea of such a core crate), so i can quickly ask some questions in the future, do y'all have any preferred IM handle i can contact you with? I'd personally prefer matrix: |
Feel free to hit me up on Matrix or Twitter. On Matrix I'm @djc:mozilla.org I think. |
Do you plan on supporting DTLS (TLS over UDP)?
The text was updated successfully, but these errors were encountered: