<div dir="ltr">Hi Vance,<br><div><br><div class="gmail_quote"><div dir="ltr">Vance Shipley <<a href="mailto:vances@motivity.ca">vances@motivity.ca</a>> schrieb am Mi., 3. Jan. 2018 um 13:44 Uhr:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, Jan 3, 2018 at 2:39 PM, Andreas Schultz<br>
<<a href="mailto:andreas.schultz@travelping.com" target="_blank">andreas.schultz@travelping.com</a>> wrote:<br>
> I do have a use case that is even more complicated then simply upgrading UDP<br>
> to DTLS.<br>
> CAPWAP is runnig unencrypted and DTLS traffic on the same socket. It<br>
> distinguished between the traffic with a small header in front of the<br>
> payload packet. I therefore need a demultiplexer on the UDP socket that<br>
> removes the header and passes the encrypted payload to the DTLS stack.<br>
<br>
I think you're in luck.<br>
<br>
> There is somewhat similar problem when doing EAP-TLS over RADIUS or<br>
> DIAMETER. The TLS traffic is encapsulated within RADIUS/DIAMETER requests<br>
> and needs to be passed into the TLS stack and the replies need to<br>
> encapsultated with RADIUS/DIAMETER.<br>
<br>
SigScale has a pure Erlang implementation of EAP-TTLS over RADIUS<br>
using the SSL app in OTP in our open source Online Charging System<br>
(OCS): <a href="https://github.com/sigscale/ocs" rel="noreferrer" target="_blank">https://github.com/sigscale/ocs</a></blockquote><div><br></div><div>I have seen that some time ago.</div><div><br></div>> The current socket abstraction in the SSL app is not prepared to handle this<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> and would need invasive changes.<br>
<br>
The existence of the API is hidden in this one sentence of the User Guide:<br>
<br>
<a href="http://erlang.org/doc/apps/ssl/ssl_protocol.html" rel="noreferrer" target="_blank">http://erlang.org/doc/apps/ssl/ssl_protocol.html</a><br>
"By default SSL/TLS is run over the TCP/IP protocol even though you<br>
can plug in any other reliable transport protocol with the same<br>
Application Programming Interface (API) as the gen_tcp module in<br>
Kernel."<br></blockquote><div><br></div><div>Last time I looked at the SSL library in that depth (around 2014) it did not permit to use of a Pid. The actual socket had to be a Erlang port. Back then I needed this change to use a Pid as socket replacement: <a href="https://github.com/RoadRunnr/otp/commit/77b9256fc15fa2f4293bd84fd0bb8dc06da8ddbf">https://github.com/RoadRunnr/otp/commit/77b9256fc15fa2f4293bd84fd0bb8dc06da8ddbf</a></div><div><br></div><div><div>I also played with EAP based on Erlang SSL back then (<a href="https://github.com/travelping/eradius/commits/eap">https://github.com/travelping/eradius/commits/eap</a>), but didn't have the time to properly finish it.<br></div><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div><div>That SSL API restrictions to Erlang ports seem to have changed since then, at least for the TLS code.</div><div><br></div><div>The DTLS code still seems to have the hard coded assumtions that it always runs over UDP sockets:<br></div><div><a href="https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_connection.erl#L142">https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_connection.erl#L142</a></div><div><br></div><div>The other major restriction was that it required two processes, one for the socket/transport side and another for the payload side of the SSL library. Using the same process for both sides would lead to a dead lock when calling ssl:send. Not sure if that restriction has been lifted.</div><div><br></div><div>Andreas<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Here is our SSL transport callback module:<br>
<a href="https://github.com/sigscale/ocs/blob/master/src/ocs_eap_tls_transport.erl" rel="noreferrer" target="_blank">https://github.com/sigscale/ocs/blob/master/src/ocs_eap_tls_transport.erl</a><br>
<br>
<br>
--<br>
-Vance<br>
</blockquote></div></div></div>