Support for Mbed TLS? #623
Comments
|
I do not know Mbed TLS, but a quick glance make me think that is for tcp, is that correct? As far as I know there is only coap and udp support in wakaama andsupport for DTLS using tinyDTLS. Is there any specific features that you need in Mbed TLS that is missing in tinyDTLS? |
|
@tuve it's supporting DTLS too: https://tls.mbed.org/kb/how-to/dtls-tutorial |
|
I think the main problem with tinyDTLs is overall lack of maintenance and 1.3 and fullfledge PKI support. |
|
Maybe we should look into support that then. To my knowledge there isn't anybody currently looking into this. |
|
I already used mbedtls with wakaama. I think the question should be if tinydtls and/or mbedtls should be part of the wakaama core implementation in the future. tinydtls is currently only used in the examples and is not part of the core wakaama library. |
|
Good question. Even though I think you should never opt out of using dtls, I don't think it should be part of the core but rather referenced as a submodule as it is done now with tinydtls. But maybe this also should include the option of using mbed tls. Any thoughts on this? |
|
From a security point of view this is not ideal. Everyone who doesn't use the examples implements their own security layer. So these changes tend not to be pushed back directly. In addition, the implementations are copied and this leads to errors that could be avoided. |
|
Yes, that is a concern. Does anyone have any figures on the memory footprint of tinydtls and mbed tls, both compiled code and runtime? |
|
@LukasKarel You mentioned that you have used Wakaama with Mbed TLS. Is that code somewhere in a branch or so? |
|
@tuve Regarding a comparison between Mbed TLS and TinyDTLS. I don't have that data but the answer will heavily depend on the details of the comparison. The feature set is different between the two stacks. The biggest contributor to code size in TLS/DTLS stacks, in general, is the crypto itself -- not the TLS protocol. I have data to support this observation in https://arxiv.org/pdf/2011.12035.pdf (see Figure 8 and Figure 9). |
These repos are unfortunately not publicly available. But it should be pretty straight forward to implement a running prototype based on the current examples. Maybe I have some old files around and could create a working draft later this week. @tuve I have never worked with tinydtls but mbedtls is highly configureable. Supported algorithms could be configured on compile time and therefore should reduce the footprint. Same is possible for buffer sizes to reduce heap usage for example. |
|
@hannestschofenig correct me if I'm wrong but It seems to me that mbedTLS also brings Connection ID which is a great feature for LWM2M, correct ?
About integrating mbedTLS, I think providing an example could be a good start.
Very good question but not so easy to decide. I guess it depends on :
Personally, I have no answer but I feel this are good questions for Wakaama Committers and Community. |
|
@sbernard31 Yes, Mbed TLS provides CID support for DTLS 1.2. |
I provided a sample but keep in mind, it is only a sample. My opinion: Before thinking about integrating DTLS into wakaama (even multiple libraries), I would discuss the possibility to use wakaama with different CoAP libraries/or even a MQTT/HTTP library and try to seperate the layers. |
|
I think separation and layering in general is a better approach. Especially if we want to support anything other than CoAP, as it is right now I think that would be quite hard. |
Be careful, if you use it! mbedTLS - Update DTLS CID implementation to comply with the "final" draft |
|
I will submit a PR to the Mbed TLS repo to make this update. |
|
I have updated the Mbed TLS CID implementation: Mbed-TLS/mbedtls#5061 |
I was wondering whether there is interest in supporting Mbed TLS in Wakaama. Has someone been working on an integration already?
The text was updated successfully, but these errors were encountered: