[erlang-questions] (D)TLS with SCTP?

Kenneth Lakin kennethlakin@REDACTED
Mon Jul 11 07:56:34 CEST 2016


On 07/10/2016 08:07 PM, Sargun Dhillon wrote:
> The next option seems to be to implement a custom transport / callback
> module to wrap SCTP and present gen_tcp semantics. My only worry there
> is then I'll lose the datagram semantics of SCTP, and I'll have to do
> my own work to encrypt other streams.

I'm using the ssl module to do PEAP/RADIUS (which is
TLS-in-EAP-in-RADIUS-over-UDP) which seems to work just fine, and wasn't
too complicated. I had to implement get/setopts, controlling_process,
listen, close, peername, port, and send, along with some bookkeeping to
fake some of that data. (TLS data that I receive is sent as messages to
the process (created and managed by ssl module code) that's managing the
TLS connection. This seems to work just fine.) My wrapper also creates
(and manages) fake sockets that are handed off to ssl, as the ssl module
*really* wants to have a socket-shaped piece of data to play with while
it does its thing.

Maybe I'm misunderstanding, but it looks like SCTP has a notion of
multiplexed data streams within a single connection? So, I think you'll
need demultiplex those data streams and figure out a way to present them
to the ssl module as if each stream was an individual TCP connection.
Additionally, I expect that the ssl module will get cranky if it gets
out-of-order TLS data. I *know* that it gets cranky if a TLS record goes
missing. So, you might have to do additional bookkeeping if SCTP gives
you out-of-order packets.

Hope this helps and wasn't a waste of your time!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160710/1c4b2b0e/attachment.bin>


More information about the erlang-questions mailing list