Missing (D)TLS IoT oriented features in Java world ?

[sbernard31]

I'm the main maintainer of Leshan project : a Java LwM2M implementation hosted by Eclipse Foundation.

Until now we are using Scandium (a java DTLS 1.2 implementation hosted Eclipse foundation from Californium project) but recently I need to look at TLS 1.2 for Leshan (because we try to add coaps+tcp support) and I came to the conclusion that :

There is not so good choice in Java world for DTLS and TLS for IoT.

I ask myself if my assumption :

• is wrong ? and so I maybe missed something.
• OR is right ? and so we are probably several to face this situation and maybe we can collectively try to improve it.

I created a github repository and begin to summarize some information about that : https://github.com/sbernard31/thermos

The idea would be to :

• Make a good big picture of the situation,
• Collect needs from IoT Java Community,
• Report our need to existing (D)TLS implementation, (to maybe impact their TODO list)

• Find collective solution ?

  I try to talk about that at security-dev mailing list from OpenJDK and this is not clear if they will work to improve that situation, here is a link to that discussion : https://mail.openjdk.org/pipermail/security-dev/2024-March/038906.html

  After speaking with Frederic Desbiens, he advises me to contact Hono project as it could be interested ? If you are, do not hesitate to discuss with us at https://github.com/sbernard31/thermos.

[sophokles73]

I am not sure if I understand correctly. Do you want to improve the existing DTLS implementation in OpenJDK?

[sbernard31]

Uups, bad point for me it will be hard to involve people if I'm not clear. I should consider to review my text to improve this.

So try to summarize better.

My understanding :

• IoT use cases need some DTLS and TLS features.

• This feature are rarely implemented in Java world. (not an OpenJDK problem only)

  This sounds a problem for Leshan project but I tell myself this could be a general problem for others Java IoT project.

  So I create this project to (collectively?) :

  • Make a good big picture of the situation, (List IoT feature and which libraries implements what)
  • Collect needs from IoT Java Community, (List most needed feature from IoT)
  • Report our need to existing (D)TLS implementation, (Hoping we can impact their TODO list)
  • Find collective solution ? (this is unclear for now but could looks like https://github.com/sbernard31/thermos/issues/3)

Do you want to improve the existing DTLS implementation in OpenJDK?

This could be a way (lobbying to change OpenJDK TODO list and/OR try to help pushing code). But maybe not the only one possible solution, we could also imagine to try to add needed API in OpenJDK and push implementation in BouncyCastle. OR maybe work on a durable project which host an mbedTLS java binding?

I don't know exactly :shrug: But first we must be sure that IoT Java Developers agree about the situation and collects their needs then later see how we can solve it.

(Note that I'm not just talking about DTLS but also TLS in version 1.2 and/or 1.3)

Do not hesitate to ask again if still not clear :slightly_smiling_face: