New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLS_PSK_WITH_AES_128_CCM_8 for IoT usecases #45
Comments
@bocajim Would it be feasible to contribute |
Hey @daenney That would be fantastic! I am open to any/all improvements to the library. We are missing features just because they were not needed for This change won't be trivial, but we should totally do it! We don't support PSK, so we will need to handle that. The actual encrypt/decrypt is easy to update we already support CBC and GCM so adding CCM shouldn't be bad! Hopefully we don't have the break the API for existing users, but if it is needed I understand. If you want to join our Slack I can help and will try to explain a little bit here also. The communication is split up into 'flights', I designed it this way so we can handle retransmissions/out of order packets. each side accepts incoming messages, and when we get everything we want we start processing code each side just keeps re-sending until it gets to the next flight code |
This is the first step towards completing #45.
I started digging into this, the good news is OpenSSL does support It is just a lot easier since my debug loop is much faster with OpenSSL (I just know the code base best) thanks!
|
Funky. I couldn't get it to show up in
Glad you found it though! |
@daenney what version of OpenSSL do you have, I was able to get this with I also had to do |
Same: |
Add configuration option for user to pass PSK. When a user passes a PSK then we only allow CipherSuites that do PSK. If user passes a PSK and a certificate return an error. Relates to #45
Add configuration option for user to pass PSK. When a user passes a PSK then we only allow CipherSuites that do PSK. If user passes a PSK and a certificate return an error. Relates to #45
Also simplify CipherSuite filtering relating to PSK/non-PSK suites Relates to #45
Also simplify CipherSuite filtering relating to PSK/non-PSK suites Relates to #45
Add configuration option for user to pass PSK. When a user passes a PSK then we only allow CipherSuites that do PSK. If user passes a PSK and a certificate return an error. Relates to #45
Also simplify CipherSuite filtering relating to PSK/non-PSK suites Relates to #45
Add configuration option for user to pass PSK. When a user passes a PSK then we only allow CipherSuites that do PSK. If user passes a PSK and a certificate return an error. Relates to #45
Also simplify CipherSuite filtering relating to PSK/non-PSK suites Relates to #45
Add configuration option for user to pass PSK. When a user passes a PSK then we only allow CipherSuites that do PSK. If user passes a PSK and a certificate return an error. Relates to #45
Also simplify CipherSuite filtering relating to PSK/non-PSK suites Relates to #45
Need to add tests still, but running examples against each other works! Relates to #45
We can decrypt what OpenSSL sends us, but OpenSSL is unable to decrypt from us. Relates to #45
Need to add tests still, but running dial/listen against each other works! Relates to #45
Expand e2e tests to cover PSK Resolves #45
Expand e2e tests to cover PSK Resolves #45
Include PSK support in README and add two new examples Resolves #45
Less edge cases to worry about Resolves #45
Less edge cases to worry about Resolves #45
Less edge cases to worry about Resolves #45
Print the hint to stdout, just so the user understands the purpose of the passed value. Resolves #45
ServerKeyExchange is optional for PSK, exclude this message if PSKIdentityHint is nil Resolves #45
ServerKeyExchange is optional for PSK, exclude this message if PSKIdentityHint is nil Resolves #45
We can decrypt what OpenSSL sends us, but OpenSSL is unable to decrypt from us. Relates to #45
Need to add tests still, but running dial/listen against each other works! Relates to #45
Include PSK support in README and add two new examples Resolves #45
Less edge cases to worry about Resolves #45
Print the hint to stdout, just so the user understands the purpose of the passed value. Resolves #45
ServerKeyExchange is optional for PSK, exclude this message if PSKIdentityHint is nil Resolves #45
Nice, I think that adds a whole new level of usefulness :) Thank you so much for taking time for the reviews guys @daenney @igolaizola! If you guys have any opinions on things the library needs/where we should go next I am all ears :) I am back on Pion WebRTC for a while, but always ready to jump in |
Summary
I'd like to request inclusion of at least one RFC 6655 cipher suite,
TLS_PSK_WITH_AES_128_CCM_8
. This suite is often used for IoT products, most notably IKEA Tradfri uses it for CoAP over DTLS.Motivation
I'd like to use a Go native DTLS library in a number of my IoT projects. Some of these projects involve talking to (or exposing as) gateways that leverage this particular cipher suite as it's fairly common in IoT products. Currently bocajim/dtls exists which implements just that cipher.
Describe alternatives you've considered
I can always use this and the other DTLS library when I happen to need more than just
TLS_PSK_WITH_AES_128_CCM_8
. But I would much prefer to have one maintained library with all capabilities instead of being split between multiple packages from different maintainers.Checklist
TLS_PSK_WITH_AES_128_CCM_8
The text was updated successfully, but these errors were encountered: