[zeromq-dev] Is there a reasonable way to use an existing PKI and D/TLS with 0MQ?

Luca Boccassi luca.boccassi at gmail.com
Wed Feb 14 11:14:36 CET 2018

On Wed, 2018-02-14 at 00:17 -0500, John Lane Schultz wrote:
> Hi Luca,
> Thanks for the update.  I was holding out hope that someone might
> have taken a crack at it already.
> Yes, TLS is a pretty complicated protocol that supports tons of
> different cipher suites and options.  I certainly wouldn’t recommend
> reimplementing the protocol natively inside 0MQ.
> I’m just curious about how hard it would be for 0MQ to use (and
> expose) a D/TLS implementation instead of TCP / UDP?
> I’m guessing the primary obstacles would be dependence on an external
> D/TLS library (which maybe could be addressed with conditional
> compilation), how to have a simple 0MQ API that exposes the
> functionality / configurability of the D/TLS transport, and possibly
> objections to the security models (e.g. - X509 certs, CAs, HMAC then
> encrypt, etc.) of TLS itself.
> Thanks,
> John

We already support a number of optional transports that require
external libraries, like PGM and NORM, so that would not be a problem.
If anyone wants to implement it, they would be most welcome.

In terms of difficulty, plugging in a new transport is not simple
plug&play but neither is too hard - apart from the new mechanism
subclass, which should be not too difficult as the interface is fairly
small, it would need some changes in a few other places - with those we
can help eventually.

> On Feb 13, 2018, at 5:42 PM, Luca Boccassi <luca.boccassi at gmail.com>
> wrote:
> Hi,
> The situation is the same - security is only supported through Curve
> or
> Kerberos.
> Not for any particular reason if not that nobody has contributed any
> other implementation. This is probably due to the fact that SSL is
> awfully, awfully complex (but I understand your requirements.

Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20180214/c9d6e3ea/attachment.sig>

More information about the zeromq-dev mailing list