Geek Answers Handbook

UDP Protection - OpenSSL or GnuTls or ...?

I need to protect my UDP traffic. As I understand it, DTLS is the best way to do this. There is another one - IPsec - but it does not seem to be applicable to me because it is not easy to use and there may be hardware problems.

I found that there are several libraries that have DTLS. So now I'm trying to choose OpenSSL or GnuTls? Could you advise me which is better to use? What are the disadvantages or advantages? Or maybe there is another library with DTLS support?

Thanks.

+8
security linux udp openssl
source share
2 answers

I found the following facts about libraries and DTLS.

  • There is another lib with DTLS support - CyaSSL, but it only supports DTLS in test mode.

  • Although RFC 4347 dates from April 2006, OpenSSL has supported DTLS since 2005 (v0.9.8). This release includes many Linux distributions. The OpenSSL API looks a little ugly, but it looks like the DTLS implementation is stable.

  • GnuTls has supported DTLS since 2011 (v3.0.0). It seems that Linux has not yet included this version. (For example, Ubuntu 11.04 uses v2.8.6, Ubuntu 11.10 will use v2.10.5, not v3.0.0.) There is no information about when v3.0 will be used. It can be created manually, however, it depends on too many additional libraries, which may not have built-in support in some distributions.

  • It seems that all of these libraries can be used on other platforms (such as Windows).

  • Known OpenSSL issue: OpenSSL has default compression for DTLS, but this should not be. API OpenSSL v0.9.8 API does not provide any way to disable compression. The method must be implemented manually.

SUMMARY:

Speaking of usability, I personally would prefer the GnuTls API, but at that time OpenSSL looked more preferable.

+11
source share

IPsec is the oldest and, therefore, the most compatible and stable, but requires tasks from sysadmin and can be quite difficult for beginners. DTLS solves an application-side problem that the programmer can greatly simplify and integrate with existing environments with fewer changes.

The choice between OpenSSL and GnuTLS is almost always due to the license.

The OpenSSL license includes an advertising offer:

3. All promotional materials that mention features or use of this * software should display the following confirmation: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. ( Http://www.openssl.org/ ) "

GnuTLS from Wikipedia:

GnuTLS was originally created to allow GNU project applications to use secure protocols such as TLS. Although OpenSSL already exists, the OpenSSL is not compatible with the GPL; [4] GPL software, such as GNU software, cannot use OpenSSL without making the exception of GPL binding.

http://en.wikipedia.org/wiki/GnuTLS

+5
source share

More articles:


All Articles