Consider adding support for DTLS

[amq]

Currently, MQTT-SN doesn't provide any security. Till lately it would make perfect sense: TLS doesn't support UDP. But now we have DTLS.

Especially DTLS+PSK could be useful, because it creates much smaller overhead than exchanging certificates and it can be used for authentication.

If you don't want it in upstream, because MQTT-SN with DTLS has not been standardized yet, I'd be extremely grateful even for a simplified implementation example with mbed-tls in wiki.

[jue89]

Hi @amq,

I am working on something similar. Do already have done some work on that topic? Maybe we can try to collaborate :) I started with some kind of concept and try to find a solution for some problems:

• How to handle multicast traffic? ADVERTISE, SEARCHGW and GWINFO have to be transmitted without DTLS they are related to discovery. Other commands should be enforced to be encrypted. Otherwise some attacker could hijack already established connections.
• How to enforce MQTT Client IDs? Once a DTLS tunnel has been established I would like to force the Client IDs according to the common name of the certificate.

[crmolinaz]

hi im trying to use TLS over mqtt-sn with paho java library. So i understand reading your post that it is not possible to do it. am i right?

in which solution are you working?

[imranbilal1]

Hello, @amq @jue89 @ty4tw I have got some success while integrating dtls-server into MQTT-SN [for unicast traffic]. So far what it does is it w8s for the incoming reserved [encapsulated Client Hello] packet and soon it gets it, it perform the 1st handshake flight to check for the mutual cipher. Afterwards [on success] it aborts the session. i have an question to ask, so far the behavior of udp & dtls that i have studied, we need to to perform the handshake process [blocking i/o] in a locked mechanism which might require the timer functionalities ('DTLS_set_timer_cb()' for example) to do the job right. am i right? if so, then how to operate the timers? did you make your own implementations for that? if so, please update us with your findings or at-least give some directions. Any help in this regard would be worth appreciation.
i am trying to make negotiation in between an [3rd Party] RTOS Mbed-Nucleo-L476RG and a Raspberry-Pi

[Pmctst]

Hello team,

I have a module which does not support DTLS but PSK. Is it possible to use this Gateway with PSK?

I have checked the configuration files but I have just saw information about CA, certificates and private key.

[saumilsdk]

We are also looking for secure message transfer over UDP. Please let me know if MQTT-SN now supports DTLS?

[ty4tw]

Enhancement complete

[saumilsdk]

Great work @ty4tw