-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS1.3 support #1337
Comments
It is neither supported nor planed in the next months. Though Californium is an open source project, contributions are very welcome. Californium supports DTLS 1.2 Connection ID. Using java 11 runitme, x25519 is added for ECDHE. If I get the time to do so, I would also try to implement ECDSA based on that curve and maybe TLS_???_CHACHA20_POLY1305_SHA256. But that depends on the time I'm able to spend into that. |
I don't expect contribution for DTLS 1.3 "soon". |
@boaks, is this still not planed at short/mid term ? |
At least from my side not in short. I consider, that using DTLS CID will provide already many benefits. With mbedTLS and tinyDtls there are already two client implementations, and at least my Thingy:91 runs not that bad with it. I currently think more about implement RFC 7924 - certificate caching, but that depends more on some decision out side of my responsibility. The amount of work for DTLS 1.3 is large. And AFAIK, only mbedTLS seems to offer that in short. Do you have any specific feature of DTLS 1.3 you consider to be high lighted? Faster handshakes seems for me not that important with DTLS CID (and cert. caching). |
Maybe, I check, if bc has some functionality to use for short term. |
Should I open this issue again? But from my experience, either I do it, or "nobody ;-)". |
I guess it.
AFIAK there is not so much DTLS 1.3 implementation. I also see that the RFC-dtls13 is still a draft.
Not really but we begin to detect some interest about (D)TLS 1.3 in general.
This is up to you. Thx for all those information. |
The RFC9147 is in the editors queue (as RFC9146 also), and mbedtls plans to support in in the near future.
Yep, but at least my feeling is, this is more for general interest than for a specific feature.
Once I start with it, I will let you know. |
Now, since April 2022, DTLS 1.3 is not longer a "draft", however, it's stated as "proposal", which I have asked to clarify here:
Not anymore. People want 1.3 because of (at least) 3 main reasons:
|
DTLS 1.2 Connection ID is exactly what's needed for that. I developed zephyr-coaps-client with Eclipse/tinydtls. With that a Thingy:91 runs from the internal battery over more than 6 months exchanging every hour a message. DTLS 1.3 will not really improve that further.
Just configure the client and servers stack not to permit such "insecure protocols".
I'm not familiar with that. DTLS 1.3 is for sure a good development. Unfortunately the industry have lost the interest to finance such developments. For Californium itself it's hard to make decision to add implementations, e.g. DTLS 1.3 and to keep the quality. It's a question of the trade-off. For sure there will be different opinions on that. On my view, it was mainly me who did the debugging and bug-fixing for the past 5 years and I'm not longer able to spend that huge amount of time doing so. Therefore my focus is on using CoAP/DTLS 1.2 Connection ID and demonstrate, how products benefit from that. Let's see, if that brings back the interest. |
Hi Achim,
It's basically the same as One-step device commissioning, but cloud based. You put the SIM card in the device and power it on, and it works after you have registered the device IMEI with your IoT management provider. |
The current quic protocol seems to require dtls 1.3 |
AFAIK, I may be wrong, QUIC RFC 9100 comes with it's own security. |
Do you know "webtransport" is a transport tool on this browser. It is similar to "websocket" based on udp, and it is based on dtls 1.3 for the quic protocol |
No, I don't know "webtransport". |
Well, my hopes of creating an http3 server have been dashed |
Now I understand, you want DTLS 1.3 for HTTP3 . As I wrote, I think QUIC comes anyway with it's own security. The point with DTLS 1.3 and Californium is simple, I tried to explain it above. |
thank you,I know the meaning that you say |
Hi boaks, |
|
Ok, got it, thank you for your answer. |
You're welcome. |
Thanks for reminding me, my colleague has already encountered this problem. |
Pretty long without any interest to contribute such an implementation. |
Hi,
Does Californium support DTLS1.3? if not, is it expected to be supported any time soon?
Thanks in advance.
The text was updated successfully, but these errors were encountered: