How is the progress to support DTLS

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How is the progress to support DTLS

satay
Hello team,

I am looking for a loader balancer to support DTLS on UDP and found that
there is experimental DTLS support in specific version 1.13.0 Nginx.
http://nginx.org/patches/dtls/README.txt 

Just curious about the progress of releasing the official feature?  And is
it being supported in Nginx Plus?

Thanks,
Ted

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278434#msg-278434

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

Maxim Konovalov
Hi Ted,

On 09/02/2018 10:44, aperfectman wrote:
> Hello team,
>
> I am looking for a loader balancer to support DTLS on UDP and found that
> there is experimental DTLS support in specific version 1.13.0 Nginx.
> http://nginx.org/patches/dtls/README.txt 
>
> Just curious about the progress of releasing the official feature?  And is
> it being supported in Nginx Plus?
>
have you tested the patch?  Any feedback?

Thanks,

Maxim

--
Maxim Konovalov
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
Hello Maxim,

Yes, I tested it based on the instruction but it didn't work. The error was

"DTLSv1_listen error -1 (SSL: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, udp
client: 127.0.0.1..."

However, with the same key,  it worked with goldy
https://developer.ibm.com/code/open/projects/goldy/

So I think my key pair should be good.

Any suggestion?


Thanks,
Ted

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278460#msg-278460

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
Ted,

I had similar issue recently and found out that the NGINX patch for DTLS
doesn't seem to support PSK. Depending on the client cipher negociation at
handshake time you might or might not encounter "no shared cipher". If you
can, you should force your client to use an "SSL" cipher supported by nginx
(and not a PSK one).

Regards
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278478#msg-278478

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
In reply to this post by satay
Ted,
A patched version of NginxPlus is available on request from Nginx customer
care (based on 1.18.0).
AFAIK the DTLS feature is expected to be deployed in either next or the
other one release.
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278479#msg-278479

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
In reply to this post by Maxim Konovalov
Hi Maxim,

Tested the NginxPlus patch for DTLS. UDP healthchecking doesn't work
(ptoxy_timeout 1s, proxy_responses:1, my server answers every single request
right away). Reproducible with Californium Scandium demos.
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278480#msg-278480

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
In reply to this post by Maxim Konovalov
I have been using it for more than a year now for more than 500 IoT devices
with a cellular connection that connect on average about 4 times per day. My
experience has been very positive: easy to set up and no issues at all (both
for the 1.13.0 and the 1.13.9 patch).

As NGINX is at 1.17 already, I'd like to update as well. Are there any plans
to either release a new patch, or preferably, integrate this into the main
product?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,285590#msg-285590

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

Vladimir Homutov
On Tue, Sep 10, 2019 at 05:12:48AM -0400, everhardt wrote:
> I have been using it for more than a year now for more than 500 IoT devices
> with a cellular connection that connect on average about 4 times per day. My
> experience has been very positive: easy to set up and no issues at all (both
> for the 1.13.0 and the 1.13.9 patch).
>
> As NGINX is at 1.17 already, I'd like to update as well. Are there any plans
> to either release a new patch, or preferably, integrate this into the main
> product?

Currently there are no such plans.

What kind of functionality are you using? Do you terminate DTLS or proxy
it ?  For the latter, you don't need patches, as recent nginx version
support UDP "sessions".

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

satay
I’m using it for termination.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,285603#msg-285603

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx