[zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

John Lane Schultz jschultz at spreadconcepts.com
Wed Feb 14 06:17:13 CET 2018


Hi Luca,

Thanks for the update.  I was holding out hope that someone might have taken a crack at it already.

Yes, TLS is a pretty complicated protocol that supports tons of different cipher suites and options.  I certainly wouldn’t recommend reimplementing the protocol natively inside 0MQ.

I’m just curious about how hard it would be for 0MQ to use (and expose) a D/TLS implementation instead of TCP / UDP?

I’m guessing the primary obstacles would be dependence on an external D/TLS library (which maybe could be addressed with conditional compilation), how to have a simple 0MQ API that exposes the functionality / configurability of the D/TLS transport, and possibly objections to the security models (e.g. - X509 certs, CAs, HMAC then encrypt, etc.) of TLS itself.

Thanks,
John

On Feb 13, 2018, at 5:42 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:

Hi,

The situation is the same - security is only supported through Curve or
Kerberos.

Not for any particular reason if not that nobody has contributed any
other implementation. This is probably due to the fact that SSL is
awfully, awfully complex (but I understand your requirements.

-- 
Kind regards,
Luca Boccassi



More information about the zeromq-dev mailing list