[zeromq-dev] Encryption (OpenSSL/TLS)
Pieter Hintjens
ph at imatix.com
Fri Oct 1 19:21:07 CEST 2010
On Fri, Oct 1, 2010 at 7:13 PM, Oliver Smith <oliver at kfs.org> wrote:
> No, it is just the wrong way to use 0MQ as internet-scale fabric...
There is IMO only one issue with defining a tls:// transport. It
cannot be aware of messaging patterns and so cannot span devices. It
must necessarily be a single-hop encryption just as tcp:// is
necessarily a single-hop protocol.
This doesn't however break any use cases anyone has identified.
While VPNs and per-message encryption seem fundamentally flawed. The
notion of asking users to install OpenVPN in order to get a secure
link is... horrid. And per-message encryption leaves the problem of
key exchange unsolved, and makes applications aware of encryption, and
leaves them option to replay attacks.
So unless someone has a specific explanation why a tls:// transport
would not solve the use cases we have, or somehow break 0MQ
scalability, it seems to be the correct solution.
My earlier idea of using a pair of devices is just a hack to avoid
putting this into 0MQ core, it's essentially the same solution. It
would be a good proof-of-concept IMO.
I'm tempted to dig up the OpenSSL interface code from Xitami...
-Pieter
More information about the zeromq-dev
mailing list