[zeromq-dev] Using CurveZMQ to secure multiple sockets?

Luca Boccassi luca.boccassi at gmail.com
Wed Oct 5 17:22:43 CEST 2016 

On 5 October 2016 at 16:15, Mark Gillott <mgillott at brocade.com> wrote:
> On Wed, 2016-10-05 at 14:56 +0100, Luca Boccassi wrote:
>> zauth and zcert can work with any socket and are the correct choice.
>> Curvezmq was a proof of concept (and made to bring auth for the legacy
>> libraries) and should not be used with libzmq/czmq as there's built in
>> support.
>>
>
> OK so authentication/encryption needs to be (separately) applied to
> every socket. And if some other part of the system springs up a socket
> between client & server for its own use, it has to remember to build in
> the zauth/zcert calls.
>
> Mark

Yes, it's a socket option, see the zauth self test for an example:

https://github.com/zeromq/czmq/blob/master/src/zauth.c#L661

zauth is set up first and then it can be used to (optionally) set up
domain white/black listing with zap, and the socket options are set on
each socket

>> On 5 October 2016 at 09:27, Mark Gillott <mgillott at brocade.com> wrote:
>> > Suppose we have a server and one or more client applications that
>> > communicate using a number of 0MQ sockets; a ROUTER-DEALER, a PUB-SUB
>> > and a REP-REQ.
>> >
>> > Is it possible to use CurveZMQ to secure all of these connections? Using
>> > the various zactor, zcert & zsock_set_curve functions I can secure the
>> > ROUTER-DEALER connections. But what about the other two?
>> >
>> > What I really want is to be able to do is secure the lower layer
>> > transport such that *any* 0MQ socket between client & server is always
>> > secure. From the curvezmq.org page:
>> >
>> >         To secure a single hop between client and server, which is the
>> >         CurveCP use case. For this use case we would embed CurveZMQ in
>> >         the transport layer so that it can work for all patterns
>> >         (publish-subscribe, pipeline, and so on).
>> >
>> > Yet I can't find any example. The examples I've seen secure a single
>> > socket. Have I misunderstood? Can I build a CurveZMQ-based "pipe" over
>> > which other 0MQ sockets can operate?
>> >
>> > Thanks,
>> >
>> > Mark
>> > _______________________________________________
>> > zeromq-dev mailing list
>> > zeromq-dev at lists.zeromq.org
>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev&d=DQIGaQ&c=IL_XqQWOjubgfqINi2jTzg&r=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk&m=gOqAiEHvYlTrTLGnWRWdFSR9dHwNTwB_wmYvb_WDKxM&s=oBgMsrha1azZ7qDvJEl-ki-0QCyO_C1hOC4Q-tDf5Q0&e=
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev&d=DQIGaQ&c=IL_XqQWOjubgfqINi2jTzg&r=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk&m=gOqAiEHvYlTrTLGnWRWdFSR9dHwNTwB_wmYvb_WDKxM&s=oBgMsrha1azZ7qDvJEl-ki-0QCyO_C1hOC4Q-tDf5Q0&e=
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev

More information about the zeromq-dev mailing list