Securing UDP - OpenSSL or GnuTls or …?

后端 未结 2 566
逝去的感伤
逝去的感伤 2021-02-08 07:05

I need to secure my UDP traffic. As far as I understand DTLS protocol is the best way to do it. There is another one - IPsec - but it looks not applicable for me because it\'s

相关标签:
2条回答
  • 2021-02-08 07:42

    I've found the following facts about the libraries and DTLS.

    1. There is another lib with DTLS support - CyaSSL, but it supports DTLS only in test mode for now.

    2. Although RFC 4347 dates from Apr, 2006, the OpenSSL supports DTLS since 2005 (v0.9.8). Many Linux distribs include this version. OpenSSL API looks ugly a little, but it seems like DTLS implementation is stable.

    3. GnuTls supports DTLS since 2011 (v3.0.0). Looks like no Linux includes this version yet. (For example, Ubuntu 11.04 uses v2.8.6, Ubuntu 11.10 is going to use v2.10.5, not v3.0.0.) There is no information about when v3.0 will be used. It can be built manually, however it depends on too many additional libraries which may have no native support in some distribs.

    4. It looks like all of these libraries can be used on other platforms (e.g. Windows).

    5. Known OpenSSL issue: OpenSSL has compression enabled by default for DTLS, but it shouldn't be. OpenSSL v0.9.8 API doesn't provide any method to disable compression. The method should be implemented manually.

    SUMMARY:

    Speaking about usability, personally I would prefer GnuTls API, but at the time OpenSSL looks more preferable to use.

    0 讨论(0)
  • 2021-02-08 07:56

    IPsec is the oldest and hence most compatible and stable, but requires tasks from the sysadmin and can be quite challenging for novices. DTLS is tackling the problem from the application side which the programmer can significantly simplify and integrate with existing environments with less change.

    The choice between OpenSSL and GnuTLS is almost always due to license.

    OpenSSL license includes an advertising clause:

    3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

    GnuTLS from Wikipedia:

    GnuTLS was initially created to allow applications of the GNU project to use secure protocols such as TLS. Although OpenSSL already existed, OpenSSL's license is not compatible with the GPL;[4] thus software under the GPL, such as GNU software, could not use OpenSSL without making a GPL linking exception.

    http://en.wikipedia.org/wiki/GnuTLS

    0 讨论(0)
提交回复
热议问题