[WIP] DTLS 1.0 preliminary patches

Simon Josefsson simon at josefsson.org
Wed Jul 29 23:16:48 CEST 2009


Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Simon Josefsson wrote:
>
>>>>> Re 0004-Add-gnutls_session_datagram-function.patch: this just toggles
>>>>> one way.  DTLS is really a completely new protocol, not just a different
>>>>> transport method for TLS.  So maybe there should really be a new
>>>>> function that replaces gnutls_init?  How about gnutls_init_dtls?  It
>>>>> would return a gnutls_session_t for DTLS.
>>> If there no issues in initialization the obvious place for me to be done
>>> would be gnutls_priority_set() and gnutls_protocol_set_priority(). There
>>> the actual version of the protocol that will be used is given and if
>>> DTLS is there the function should act accordingly. That way the same API
>>> can be used for both.
>> 
>> Hm.  Are you suggesting that DTLS should be enabled through a priority
>> string?  I kind of like that.  I'm not sure it is sufficient -- some
>> other functions called before the handshake may also want to know if
>> DTLS or normal TLS is going to be used.  Then the order of calls will
>> matter -- i.e., if gnutls_priority_set("DTLS") is called before or after
>> the call to this other API.  So a gnutls_init_dtls seems safer to me.
>
> I don't really know about that. What functionality would that be?

Maybe there aren't any.  I was thinking about size limits, or some
requirements on credentials used that applies only to DTLS -- for
example how about a RSA-EXPORT credential?  What about TLS extensions?
Are all TLS extensions applicable to DTLS automatically, without any
change in behaviour?

On the other hand, if applications requests DTLS and calls APIs which
aren't applicable to DTLS, they shouldn't expect things to work.  So
maybe the impact is low.

If Jonathan doesn't discover anything when his DTLS support is ready to
be merged, I'm fine with using a priority string to switch over to DTLS
mode.

/Simon

> For me since DTLS is supposed to be just another version of TLS it
> feels it should be configurable through the version interface. If
> multiple functions initialization are needed for another variants it
> would be not a nice API IMHO (it would be possible to initialize tls
> but specify TLS 1.2 through the priority api?). I thought initially
> that some extended gnutls_init_ext() would be useful, but since we
> already have the priority API I see no point in making a new API for
> that (unless of course there is not alternative due to technical
> problems).






More information about the Gnutls-devel mailing list