[zeromq-dev] Encryption (OpenSSL/TLS)

Oliver Smith oliver at kfs.org
Fri Oct 1 18:28:42 CEST 2010


  Pieter Hintjens said the following on 9/30/2010 1:49 PM:
> Hi Oliver,
>
> Mato and I were discussing this exact topic yesterday.  Neither of us
> are really security experts but his experience trumps mine.  I'd go
> for an OpenSSL TLS transport layer that replaces the existing tcp://
> transport.  Mato's opinion was that this would not work, and the
> correct approach would be per-message encryption, with out of band key
> exchange using some existing technology.
>
> Mato's approach has the advantage of also giving secure multicast.
>
> -Pieter
Hmm.

I'd also thought about using something like "tcps://" for an underlying 
"secure connection" transport, I hadn't thought about multicast.

What was Matos reasoning for saying it would not work? Is it to do with 
provisioning keys etc?

The reason I think that a ZeroMQ socket-type level would work best is 
that you would then be able to do:

     # Context
     ctx = zmq.Context(4)
     # Incoming socket
     s = ctx.socket(zmq.REP)
     # Public interface
     s.bind("tcps://*:1234")
     # Private local interface
     s.bind("tcps://192.168.0.1:1235")

     while True:
         msg = s.recv()
         result = process(msg)
         s.send(result)

Of course, somewhere in there I need to tell it where my encryption 
stuff is... Surely that could be done with something like

     s.setsockopt(zmq.TCPS_CONFIG_FILE, "/etc/myserver.xml") or 
"/etc/myserver.json" or .txt or whatever


- Oliver




More information about the zeromq-dev mailing list