Update offloaded TLSSocket to TLSSocket design #12089
Conversation
|
@kivaisan, thank you for your changes. |
There was a problem hiding this comment.
Look really good to me.
I just wanted to ask for one minor update in a part which was already there (regarding DTLSSocketWrapper) and a few typo corrections.
@AnttiKauppila , a side note: should we add some more information about DTLSSocketWrapper here?
| * `TLSSocket::connect()` is always blocking | ||
| * Can only use server and client certificates through `set_root_ca_cert()` and `set_client_cert_key()` methods. For other use cases, internal Mbed TLS structures are exposed. | ||
| * No PSK mode | ||
|
|
||
| Offloaded vs. Mbed TLS based TLSSocket: | ||
| * For offloaded TLS socket `set_root_ca_cert()` and `set_client_cert_key()` must be called after `TLSSocket::open()` and before `TLSSocket::connect()`. | ||
| * Offloaded TLS socket API does not support all Mbed TLS based TLSSocket methods, but commot (i.e. `open()`, `connect()`, `close()` and setting certficates) use the same API. |
There was a problem hiding this comment.
typo? "commot" -> "common"
| # System Architecture and High-Level Design | ||
|
|
||
| Secure socket consist of two classes: | ||
| Mbed TLS based secure socket consist of two classes: | ||
|
|
||
| * `TLSocketWrapper` <br> | ||
| Which handles initialization of TLS library and does TLS handsake. Takes any Socket as a |
There was a problem hiding this comment.
I know this has been here before, but it is actually not true: We have a DTLSSocketWrapper for datagram sockets. Perhaps we could add an explanation here?
There was a problem hiding this comment.
Also DTLSSocket needs to be added. But I'll create a new internal task add those, so let's leave those out from this PR.
| @@ -75,13 +106,13 @@ Aim is to first support only certificate based authentication, so we implement o | |||
|
|
|||
| ## High Level Design Goal 3: Support both blocking and non-blocking operations | |||
|
|
|||
| As the Mbed TLS is already work with both socket types, we are able to `TLSocketWrapper` | |||
| As the Mbed TLS already work with both socket types, we are able to `TLSocketWrapper` | |||
There was a problem hiding this comment.
I think this was meant to be "As the Mbed TLS already works with both socket types, we are able to create TLSocketWrapper that can handle both types as well."
I am sorry for this nitpicking, but once we are doing some corrections, let's make them final ;-)
There was a problem hiding this comment.
No problem. Fixed.
|
|
||
| ## Security | ||
|
|
||
| Offloaded TLS socket has one major security difference compared to Mbed TLS based secure socket. In Mbed TLS secure socket data is encrypted already by application processor and therefore all user data between MCU and network interface HW is encrypted. But with offloaded TLS socket, encryption happens in network stack, which can be implemented in network HW resultin in data between MCU and network HW being unencrypted (e.g. in cellular case, UART traffic between MCU and cellular modem). |
There was a problem hiding this comment.
typo? "resultin" -> "resulting"
There was a problem hiding this comment.
@kivaisan , you're right. Getting this document right in face of DTLSSocketWrapper needs a separate task.
All fine with me now.
|
@AnotherButler can you pls review |
|
In the interim I will kick the ci off |
Edit document, mostly for clarity and missing words.
|
CI started |
adbridge
added
release-version: 6.0.0-alpha-1
Summary of changes
Added offloded TLSSocket sections into TLSSocket design document.
Code has already been merged with PR #11357.
Impact of changes
Migration actions required
Documentation
Pull request type
Test results
Reviewers