I do have a use case that is even more complicated then simply upgrading UDP to DTLS.
CAPWAP is runnig unencrypted and DTLS traffic on the same socket. It distinguished between the traffic with a small header in front of the payload packet. I therefore need a demultiplexer on the UDP socket that removes the header and passes the encrypted payload to the DTLS stack.
There is somewhat similar problem when doing EAP-TLS over RADIUS or DIAMETER. The TLS traffic is encapsulated within RADIUS/DIAMETER requests and needs to be passed into the TLS stack and the replies need to encapsultated with RADIUS/DIAMETER.
The current socket abstraction in the SSL app is not prepared to handle this and would need invasive changes.
A simplistic workarround would be to forward the DTLS traffic on loopback UDP socket. Hwever that would incure additional latency, signaling overhead and would make detection of failed connections more difficult. I therefore don't want to go there.
A supported and documented API to pass (D)TLS traffic into the SSL app and get status change events and the decoded payload data back from the SSL app would IMHO help a lot.
Just some quick idea:
%% Create a new passive SSL connection of given type, return a opaque identifier.
ssl:create_connection(Protocol :: 'stream' | 'datagram', Opts) -> ssl_connection_id().
%% Pass received SSL traffic into the connection,
%% Return error, ok or Data to return on the connection.
ssl:recv(Connection :: ssl_connection_id(), EncData :: binary()) ->
{error, Error} | ok | {ok, {send, Data :: binary()}}.
%% Pass unencrypted traffic into the SSL app
ssl: send(Connection :: ssl_connection_id(), PlainText :: binary()) ->
{error, Error} | ok | {ok, {send, EncData :: binary()}}.
%% The owner of the connection is then getting messages like:
%% - send encrypted data:
%% {ssl, Connection :: connection_id(), {send, EncData :: binary()}}
%% - got plaintext data:
%% {ssl, Connection :: connection_id(), {recv, PlainText :: binary()}}
%% - connection event:
%% {ssl, Connection :: connection_id(), Event :: ssl_connection_event()}
Wheter ssl:recv and ssl:send return data or use a message to the owner should depend on a mode setting (e.g. active, passive...)
What do you think? Comments?
Regards
Andreas
[...]