[zeromq-dev] Encryption (OpenSSL/TLS)
Oliver Smith
oliver at kfs.org
Fri Oct 1 19:13:06 CEST 2010
Martin Sustrik said the following on 10/1/2010 1:11 AM:
>> The only
>> downside of this approach is that that each network hop will have to
>> encrypt/decrypt the message.
> That's exactly the point IMO. It means that each intermediary box
> (device) would have to be trusted. Doing it that way you would basically
> disable using 0MQ as internet-scale fabric.
No, it is just the wrong way to use 0MQ as internet-scale fabric.
In my particular current use case, I am considering placing 0MQ as a
communications medium between several server processes, where there is
no need for security between machines. But I then want to expose access
to some of this to the externally run client. I want those connections
to be encrypted.
I really don't feel like being the first MMO to have our customers
launch OpenVPN in order to play the game ;)
The TLS solution works exceptionally well in these cases precisely
because I could build a configuration such as:
+--------+
| Public |
/---------+ +-----+ | Facing |
| | | | | Server |
| Clients | --+ TLS +--> +--------+
| | | {io}| | ZeroMQ |
+---------/ +-----+ | Device |
| |
+----+---+
|
v
+--------+
| Server |
+--------+
^ /-----------+
| | Internal |
+-=-----------| Server |
| Processes |
+-----------/
The Device would communicate to remote clients over encrypted sockets,
e.g. tcps://*:1234/, but communicate on to the server via whatever
protocol you choose.
Just another task successfully offloaded by ZeroMQ :)
- Oliver
More information about the zeromq-dev
mailing list