How is the progress to support DTLS

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How is the progress to support DTLS

orsolya.magos
Hello team,

I am looking for a loader balancer to support DTLS on UDP and found that
there is experimental DTLS support in specific version 1.13.0 Nginx.
http://nginx.org/patches/dtls/README.txt 

Just curious about the progress of releasing the official feature?  And is
it being supported in Nginx Plus?

Thanks,
Ted

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278434#msg-278434

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

Maxim Konovalov
Hi Ted,

On 09/02/2018 10:44, aperfectman wrote:
> Hello team,
>
> I am looking for a loader balancer to support DTLS on UDP and found that
> there is experimental DTLS support in specific version 1.13.0 Nginx.
> http://nginx.org/patches/dtls/README.txt 
>
> Just curious about the progress of releasing the official feature?  And is
> it being supported in Nginx Plus?
>
have you tested the patch?  Any feedback?

Thanks,

Maxim

--
Maxim Konovalov
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

orsolya.magos
Hello Maxim,

Yes, I tested it based on the instruction but it didn't work. The error was

"DTLSv1_listen error -1 (SSL: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, udp
client: 127.0.0.1..."

However, with the same key,  it worked with goldy
https://developer.ibm.com/code/open/projects/goldy/

So I think my key pair should be good.

Any suggestion?


Thanks,
Ted

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278460#msg-278460

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

orsolya.magos
Ted,

I had similar issue recently and found out that the NGINX patch for DTLS
doesn't seem to support PSK. Depending on the client cipher negociation at
handshake time you might or might not encounter "no shared cipher". If you
can, you should force your client to use an "SSL" cipher supported by nginx
(and not a PSK one).

Regards
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278478#msg-278478

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

orsolya.magos
In reply to this post by orsolya.magos
Ted,
A patched version of NginxPlus is available on request from Nginx customer
care (based on 1.18.0).
AFAIK the DTLS feature is expected to be deployed in either next or the
other one release.
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278479#msg-278479

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: How is the progress to support DTLS

orsolya.magos
In reply to this post by Maxim Konovalov
Hi Maxim,

Tested the NginxPlus patch for DTLS. UDP healthchecking doesn't work
(ptoxy_timeout 1s, proxy_responses:1, my server answers every single request
right away). Reproducible with Californium Scandium demos.
Sekine

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278434,278480#msg-278480

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx