I think you are right because ZMTP negociates the protocol with each
mechanism instance, and there is a mechanism instance for each connection.
But I am not sure.
Laurent
Le 01/04/2014 10:04, Goswin von Brederlow a écrit :
On Mon, Mar 31, 2014 at 09:27:20PM +0200, Laurent Alebarde wrote:
Hi Greg,
As far as I know, encryption is per socket. So you can have one
context, and in this context, one CURVE socket for the wild, and one
NULL socket for your homeland.
Laurent
Le 31/03/2014 21:12, Greg Ward a écrit :
Hi all --
I'm helping maintain a ZeroMQ-based system that currently uses a
homebrew cryptosystem on top of libzmq 3.2.4. Obviously I'd like to
upgrade to curve and libzmq 4. While I'm doing that, I'd like to
change it so that only untrusted connections (across the Internet) are
subject to encryption and authentication. Connections within our data
center do not need the overhead.
My understanding is that encryption/authentication is per-context, so
the server process that talks to both remote hosts (across the
Internet) and local hosts (inside our data center) would need *two*
contexts. Is this correct?
My rationale, incidentally, is twofold: 1) reduce administrative
overhead, 2) reduce latency. Of course we need to maintain keys and
certificates for the hosts that we talk to out there on the Internet,
but it's annoying that we have to maintain them for hosts inside our
data center. I'd like to get rid of that. I also want to ditch the
overhead (network and CPU) of crypto + authentication when we don't
need it. Not sure how big a factor that is with libzmq 4, but it's
definitely a factor with our current homebrew cryptosystem.
Greg
Now an interesting question is:
Can I have ONE (server) socket that accepts both CURVE and NULL connects?
I imagine on connect a ZAP requests is generated and the ZAP handler
could accept NULL connects for local IPs and only CURVE for external
ones.
Is that possible? Or does setting a CURVE keypair for the (server)
socket require all connects to use CURVE?
MfG
Goswin
PS: Google did not encrypt traffic within its own network for the same
reasons and then the NSA did listen in. Are you sure your network is
realy 100% secure?
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
