[WIP] DTLS 1.0 preliminary patches

Simon Josefsson simon at josefsson.org
Wed Jul 29 20:35:36 CEST 2009 

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

>>> Re 0002-Add-DTLS1.0-protocol-entry.patch: This breaks the API.  Can you
>>> re-order the DTLS addition so it is after GNUTLS_TLS1_2 and add a '=
>>> 100' after it so there is room for TLS 1.3 etc?  Also, please drop the
>>> GNUTLS_DTLS1 mapping, I think it helps to be specific about version
>>> numbers at all places.  I think this patch could be added quickly
>>> without problem.
>> Alright, but DTLS1.0 needs to be sandwiched between TLS1.1 and TLS1.2,
>> mostly for ver < GNUTLS_TLS1_2 checks. Since TLS1.2 is still
>> experimental, could this breakage be tolerated ? I am wide open for a
>> suggestions in this case...
>
> In general I'd agree with simon that DTLS should be distinct from
> TLSx.y. For the specific tests maybe we should move those into
> designated functions such as if (_check_for_feature_xyz(tlsversion)) {
> ... }. And a more complex matching algorithm will be present there.

Exactly.

>>> Re 0004-Add-gnutls_session_datagram-function.patch: this just toggles
>>> one way.  DTLS is really a completely new protocol, not just a different
>>> transport method for TLS.  So maybe there should really be a new
>>> function that replaces gnutls_init?  How about gnutls_init_dtls?  It
>>> would return a gnutls_session_t for DTLS.
>
> If there no issues in initialization the obvious place for me to be done
> would be gnutls_priority_set() and gnutls_protocol_set_priority(). There
> the actual version of the protocol that will be used is given and if
> DTLS is there the function should act accordingly. That way the same API
> can be used for both.

Hm.  Are you suggesting that DTLS should be enabled through a priority
string?  I kind of like that.  I'm not sure it is sufficient -- some
other functions called before the handshake may also want to know if
DTLS or normal TLS is going to be used.  Then the order of calls will
matter -- i.e., if gnutls_priority_set("DTLS") is called before or after
the call to this other API.  So a gnutls_init_dtls seems safer to me.

/Simon

More information about the Gnutls-devel mailing list