DTLS #11
Comments
|
DTLS is not in node core, so this has to wait for some time. |
|
Ok, do you think it would make more sense to build it as a node module without patching node.js? I might find time to start somewhere. |
|
There are no plans into adding dtls to node core anytime soon: check |
|
Have you tried the solution proposed in nodejs/node-v0.x-archive#6704 ? Maybe trying to push a proposed solution will be easier than creating a binding from scratch. |
|
That would be a very long-term solution, likely 1+ year to get it into a
|
|
Concerning this subject, an idea came to my mind that may be a simple and efficient solution for the problem (or a disposable crazy idea, who knows): Would it be possible to use a DTLS terminator the same way a SSL terminator is used? This way we could decouple the DTLS securization from the library, and have a CPU efficient module deal with all the cryptographic stuff. We have used NGINX for SSL termination in the past but I don't know if it provides similar features for DTLS or whether building a module to support that would be feasible or a complete hell. Have you tried this approach? Do you think it could be possible to solve the problem this way? |
|
I mistakenly closed the issue, sorry. |
|
DTLS support is also needed for clients, not only for servers. Basically, we need to write a native module to support DTLS in node. It is likely 2-4 weeks of work, given a quick estimate. |
|
I started a Node.js DTLS module for WebRTC purposes at: Rantanen/node-dtls The module is a bit unstable for now but it does implement DTLS 1.2 compatible handshake and data transmission so I feel like the worst parts are done. Unfortunately the only two DTLS endpoints I've had to test it against have been the openssl s_client/s_server commands and the module itself. I've not gone through the CoAP references (just saw it mentioned in one of the Node.js PRs) so I'm not sure if CoAP would need support for certain (D)TLS extensions, etc. or what else would be needed to provide DTLS support for CoAP. While I don't really have need for DTLS in CoAP (or even CoAP itself) I'm interested in more ways to test the DTLS module against different DTLS implementations. I'm currently playing catch up with the unit tests for the handshake handling and general test coverage, but once I'm satisfied with that I'll see if I can implement more of the DTLS basics such as handshake renegotiation, DTLS 1.0 support, Node 0.10 compatibility and then the various extensions such as heartbeat and quick session resume. Edit: Oh, and at least for now this is DTLS in name only. While it encrypts/decrypts the traffic, the security aspect isn't necessarily proven to be strong against the multitude of attacks known against (D)TLS. |
|
Wooow, DTLS in pure JS, this is awesome! I would love to have support for this in this library! I am kind of low on bandwidth at the moment, but I look forward to this! |
|
Please add DTLS features to node-coap, thx. |
|
@Sean-Wang DTLS apis are not exposed in node.js. Probably it will happen after the reconciliation release. As a time frame, we will probably have this feature done before the end of the year. |
|
Thanks @mcollina . |
|
Hi, what is the current status of CoAP DTLS at this time? |
|
Currently DTLS is not implemented |
|
However there seems to be this fork https://github.com/neustar/node-coap-dtls with working dtls for the client. |
|
Hello sir Thank you ... |
|
Hi, does this news make this project to be enable DTLS function ? |
|
https://github.com/nodertc/dtls Here is my experimental DTLS implementation in pure js. Client side only right now. Modern ciphers, message reordering, defragmentation already exists. |
|
I testes Coap server is const coap = require('../') // or coap
const dtls = require('@nodertc/dtls');
const socket = dtls.connect({
type: 'udp4',
remotePort: 8089,
remoteAddress: '127.0.0.1',
maxHandshakeRetransmissions: 3,
alpn: 'coap',
pskIdentity: 'coap',
pskSecret: 'deadbeaf',
cipherSuites: [
'TLS_PSK_WITH_AES_128_GCM_SHA256',
'TLS_PSK_WITH_AES_256_GCM_SHA384'
]
})
const agent = new coap.Agent({ socket });
const req = coap.request({ agent })
req.on('response', function(res) {
res.pipe(process.stdout)
socket.close();
})
req.end() |
|
Actually since v0.23.0 coap server and client can be used on top of any custom layer (including DTLS) as long as it provides a socket compatible with dgram socket API (https://nodejs.org/api/dgram.html), i.e. const customClientSock = ....;
const customServerSock = ...;
const server = coap.createServer();
server.on('request', (req, res) => {
console.log('Server got request');
res.end('Response');
});
server.listen(customServerSock, () => {
const req = coap.request({ agent: new coap.Agent({ socket: customClientSock }) });
req.on('response', res => {
console.log('Client got response');
});
req.end();
});I've successfully used this approach together with a minimal mbedtls nodejs wrapper to do automated testing for a wakaama+gnutls server. It would be cool to test how node-coap performs on top of other layers. Anyone willing to write an SMS socket wrapper? :) |
|
Nice work @GiedriusM! Do you intend to contribute an official DTLS server implementation? 🙏 BTW, there's an actual CoAP over SMS draft, albeit it doesn't use Datagrams :) |
@beriberikix, what do you mean by "official"? |
|
I got my wires crossed 🤦♂ I was wondering if @reklatsmasters was considering developing a server. |
|
DTLS server is much more complex thing. It has more stringent security requirements (select cipher, alerts). Yes, all low-level primitives are implemented (aead, master/premaster keys, etc.), but i dunno... Besides, DTLS server is not required for WebRTC. |
|
Hey @reklatsmasters, |
|
@heri16 This is an alert messages UNEXPECTED_MESSAGE and HANDSHAKE_FAILURE. It means mismatch client and server configurations or a bug in dtls client. Could you please create an issue in nodertc/dtls repo and attach protocol dump using wireshark? |
|
@reklatsmasters Nevermind, I am using tinydtls which only supports 'TLS_PSK_WITH_AES_128_CCM_8' and 'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8' |
|
These ciphers deprecated or not recommended for using by spec.
вт, 24 сент. 2019 г., 11:05 Ankit Mishra <notifications@github.com>:
… @reklatsmasters <https://github.com/reklatsmasters> Nevermind, I am using
tinydtls which only supports 'TLS_PSK_WITH_AES_128_CCM_8' and
'TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8' ciphers. And these are not supported
by yours library.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AARGXCCZLUZITR2XAXLRDJLQLHC3PANCNFSM4AI5SZFA>
.
|
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within the next 7 days. Please check if the issue is still relevant in the most current version of the adapter and tell us. Also check that all relevant details, logs and reproduction steps are included and update them if needed. Thank you for your contributions. |
|
This issue has been automatically closed because of inactivity. Please open a new issue if still relevant and make sure to include all relevant details, logs and reproduction steps. Thank you for your contributions. |
If DTLS is not yet available, would libsodium via node-ffi work?
The text was updated successfully, but these errors were encountered: