Sunday, November 1, 2009

My Impressions of DTLS and OpenSSL

So after a weekend of fun with DTLS, OpenSSL, and OpenSSL.NET, I am not entirely onboard with the idea of using it as the backend for our P2P Security system. So let me list my pros and cons of using DTLS:

Pros:
  • Maintained by someone else
  • FIPS certified
  • Availble for all platforms
  • Popular, well documented protocols
Cons:
  • Lacks the level of documentation found for most of the other libraries I've used
  • DTLS is scarcely mentioned on the website and it is unclear to me how well it is actually maintained
  • DTLS (manual) renegotiation is broken
  • The library doesn't really make it easy to determine when a SSL session should be aborted
  • There is no async callbacks for when data is ready, which would be really helpful for handshake messages
  • Platform dependent (i.e. library -- ABI -- is not portable, API is)
  • The DTLSv1_methods lack the reliability layer that is actually in the DGRAM BIO
Given that there is an existing Security library in Brunet that actually handles the above cons lacking FIPS and support by others, it feels like I am between a rock and a hard place. My real goal was to get enough knowledge to add the details in my paper comparing my experiences with a standard DTLS implementation in comparison to a home brewed version. Since the transition to DTLS hasn't been entirely smooth sailing, I am a little hesitant to jump on board. I suppose two things need to be ensured to me, that renegotiation works and that messages are still transferable during renegotiation. While waiting, I may just test out what actually happens in systems that rely on DTLS, because I have a feeling that the libraries are significantly faster than .NET crypto libraries.

Note: I stand corrected, the DTLS bug is fixed in version 1.0.0 betas, though with a new added twist of segmentation faults!

2 comments:

  1. Our Aerocity Housewife Escorts agency have smooth bodies that can prepare you for a night of sexual loving.Call Girls near Delhi Airport You don’t want to feel self-conscious as you’Call Girls near Ahmedabad Airport re safe here at our Call Girls agency.Call Girls near Agra Airport Our Services are all-time service that is accessible for you 24*7 hours.Call Girls near Haridwar Airport Our Escorts Girls are always prepared to make you fill you’ll have a fantastic alluring night with our lovely girls and you only need for believing simultaneously.Call Girls near Agra Airport Check our other Services also...

    ReplyDelete