[zeromq-dev] Partially encrypted service

Laurent Alebarde l.alebarde at free.fr
Mon Mar 31 21:27:20 CEST 2014


Hi Greg,

As far as I know, encryption is per socket. So you can have one context, 
and in this context, one CURVE socket for the wild, and one NULL socket 
for your homeland.

Laurent

Le 31/03/2014 21:12, Greg Ward a écrit :
> Hi all --
>
> I'm helping maintain a ZeroMQ-based system that currently uses a
> homebrew cryptosystem on top of libzmq 3.2.4. Obviously I'd like to
> upgrade to curve and libzmq 4. While I'm doing that, I'd like to
> change it so that only untrusted connections (across the Internet) are
> subject to encryption and authentication. Connections within our data
> center do not need the overhead.
>
> My understanding is that encryption/authentication is per-context, so
> the server process that talks to both remote hosts (across the
> Internet) and local hosts (inside our data center) would need *two*
> contexts. Is this correct?
>
> My rationale, incidentally, is twofold: 1) reduce administrative
> overhead, 2) reduce latency. Of course we need to maintain keys and
> certificates for the hosts that we talk to out there on the Internet,
> but it's annoying that we have to maintain them for hosts inside our
> data center. I'd like to get rid of that. I also want to ditch the
> overhead (network and CPU) of crypto + authentication when we don't
> need it. Not sure how big a factor that is with libzmq 4, but it's
> definitely a factor with our current homebrew cryptosystem.
>
>         Greg
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140331/de7a11b0/attachment.htm>


More information about the zeromq-dev mailing list