[zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

Luca Boccassi luca.boccassi at gmail.com
Tue Feb 13 23:42:29 CET 2018


On Tue, 2018-02-13 at 17:03 -0500, John Lane Schultz wrote:
> I’m new to 0MQ, so please excuse my ignorance about it.  I read the
> guide book, the blog entries on CurveZMQ, looked at the directory of
> 0MQ GitHub repositories, and googled around to see if anyone had
> added a D/TLS layer into 0MQ. I didn’t find much of anything.
> 
> I did find the email below from 4 years ago, that seems to answer a
> similar question from back then.  Is it still the situation that 0MQ
> doesn’t readily support using D/TLS to secure its communications?
> 
> I ask because we have an existing PKI managing more than 2000
> distributed identities and we use D/TLS to secure our mutually
> authenticated (the “Ironhouse Pattern") point-to-point
> communications.  If it matters, we use Ephemeral Diffie-Hellman key
> exchanges with long term RSA keys.
> 
> From my reading, 0MQ looks really appealing to get away from low-
> level programming OpenSSL D/TLS, UDP, and TCP sockets, but not being
> able to use our existing security infrastructure would probably be a
> deal breaker.
> 
> I’d greatly appreciate any information on the current state of
> affairs of 0MQ security layers and whether or not adding D/TLS
> support to 0MQ is reasonable or not.
> 
> Thanks!
> John

Hi,

The situation is the same - security is only supported through Curve or
Kerberos.

Not for any particular reason if not that nobody has contributed any
other implementation. This is probably due to the fact that SSL is
awfully, awfully complex (but I understand your requirements.

> From ph at imatix.com  Fri Oct  4 00:46:06 2013
> From: ph at imatix.com (Pieter Hintjens)
> Date: Fri, 4 Oct 2013 00:46:06 +0200
> Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
> In-Reply-To: <F321E1DDD74B4747BE218256F9B069F313064041 at GQ1-EX10-MB05.
> y.corp.yahoo.com>
> References: <F321E1DDD74B4747BE218256F9B069F313064041 at GQ1-EX10-MB05.y
> .corp.yahoo.com>
> Message-ID: <CADL5_shGNyOg8=NBsQW7eOBnu4qsKD_1pVWXp4PJda3MJePtpg at mail
> .gmail.com>
> 
> On Fri, Oct 4, 2013 at 12:34 AM, Steve Carney <carney at yahoo-
> inc.com> wrote:
> 
> > I have an infrastructure with existing certificates that is not
> > ready to
> > move to CurveCP yet.    Does CurveZMQ have an underlying framework
> > (due
> > using SASL) that I could use to implement SSL authentication (with
> > and
> > without encryption)?
> 
> No, CurveZMQ has its own properties. I've described this
> superficially
> here: http://hintjens.com/blog:48
> 
> > I also have simple proprietary certificates that I?d like to
> > support as part
> > of establishing a client-server connection.  A simple cleartext key
> > exchange
> > would be sufficient.  Could CurveZMQ be leveraged for this as well?
> 
> Not directly... The keys that CurveZMQ uses are specific to the
> elliptic curve cryptography used.  However you could use your
> existing
> certificates and some (non-ZeroMQ) transport to exchange CurveZMQ
> certificates.
> 
> -Pieter
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20180213/62f48179/attachment.sig>


More information about the zeromq-dev mailing list