2

There are several implementations of TLS that support DTLS 1.2. Wikipedia has an exhaustive link here.

My reading points to the classic openssl, libressl, boringssl and mbed TLS as viable options. I am only interested in DTLS 1.2 API and nothing more. I have no interest in usage of the API elsewhere.

openssl seems to be bogged down with a lot of old protocol and usage baggage. mbed TLS's implementation approach appears to be good but it rarely figures in any comparison. I wonder why? Is it incomplete in any way?

If anyone has evaluated the above, or any other TSL implementation, purely for DTLS 1.2 API, which one would you suggest?

Sunny
  • 6,849
  • 6
  • 38
  • 69

1 Answers1

2

Mbed TLS is a lightweight configurable TLS library. It was initially designed for the embedded world and is currently used by large amounts of users and companies on all kinds of setups, from constrained devices to large servers. Mbed TLS was previously known as PolarSSL, you may want to check both names when searching for references online. You can find more information about Mbed TLS here:

Ron Eldor
  • 190
  • 11
  • Thank you for your answer. I am interested in the DTLS 1.2 support purely for building a webRTC gateway where RTP/RTCP is secured through SRTP which requires DTLS-SRTP support. That is DTLS extension for SRTP. Does your DTLS 1.2 implementation support this? Admittedly I have not gone through your documentation but will do so now. – Sunny Feb 12 '18 at 12:05
  • 1
    @sam unfortunately, Mbed TLS does not support DTLS-SRTP at the moment, but it is Work In Progress – Ron Eldor Feb 12 '18 at 13:33
  • If and when it supports DTLS-SRTP, which is relatively not that difficult of an addition, then I think that mbed TLS will become THE choice for webRTC gateways, mixers and the like. Mbed TLS' simplicity is unbeatable. I think that for general usage of TLS outside the embedded world, Mbed TLS has not received that much traction because users are shy to move away from OpenSSL or LibreSSL. That can change overnight with support for DTLS-SRTP. Just my two cents... – Sunny Feb 12 '18 at 14:26
  • Thank you for your thoughts. We will take that into consideration! – Ron Eldor Feb 12 '18 at 14:59
  • Late thought. Would it be accurate to say that as DTLS 1.2 supported by mBed TLS will provide the keys required for SRTP, that itself will suffice, for example, to use libraries such as libsrtp? – Sunny May 09 '18 at 03:43
  • Hi Sam, you could watch the [PR](https://github.com/ARMmbed/mbedtls/pull/1540) with DTLS-SRTP support. It is still not ready, but it could give you some idea on the planned design. Mbed TLS will not support the full SRTP stack, only the DTLS-SRTP key negotiation according to the SRTP profile. – Ron Eldor May 10 '18 at 07:24
  • Thanks for the update. I think the DTLS-SRTP key negotiation support is good enough and then I can use libsrtp from there which I presume is what Mbed TLS possibly expects users to do to use full SRTP stack. – Sunny May 12 '18 at 16:02
  • I see that there are new updates on DTLS-SRTP support in mbed TLS. Great.... I am tied up with another project but will give it a try at some point in the near future. – Sunny Jul 18 '18 at 12:15