[zeromq-dev] Encryption (OpenSSL/TLS)
Oliver Smith
oliver at kfs.org
Fri Oct 1 18:28:42 CEST 2010
Pieter Hintjens said the following on 9/30/2010 1:49 PM:
> Hi Oliver,
>
> Mato and I were discussing this exact topic yesterday. Neither of us
> are really security experts but his experience trumps mine. I'd go
> for an OpenSSL TLS transport layer that replaces the existing tcp://
> transport. Mato's opinion was that this would not work, and the
> correct approach would be per-message encryption, with out of band key
> exchange using some existing technology.
>
> Mato's approach has the advantage of also giving secure multicast.
>
> -Pieter
Hmm.
I'd also thought about using something like "tcps://" for an underlying
"secure connection" transport, I hadn't thought about multicast.
What was Matos reasoning for saying it would not work? Is it to do with
provisioning keys etc?
The reason I think that a ZeroMQ socket-type level would work best is
that you would then be able to do:
# Context
ctx = zmq.Context(4)
# Incoming socket
s = ctx.socket(zmq.REP)
# Public interface
s.bind("tcps://*:1234")
# Private local interface
s.bind("tcps://192.168.0.1:1235")
while True:
msg = s.recv()
result = process(msg)
s.send(result)
Of course, somewhere in there I need to tell it where my encryption
stuff is... Surely that could be done with something like
s.setsockopt(zmq.TCPS_CONFIG_FILE, "/etc/myserver.xml") or
"/etc/myserver.json" or .txt or whatever
- Oliver
More information about the zeromq-dev
mailing list