As a fun project to learn Nim (enjoying it so far!), I've decided to make a simple TFTP client/server program. One thing I wanted to try, was adding encryption to the UDP traffic (maybe with a new TFTP option).
It looks like this can be done with the DTLS protocol, which OpenSSL has support for. Unfortunately I couldn't find anything in std/openssl. Is there any way to request this feature in future? Networks aren't my forte, so it's all a bit above me, though I will keep trying to get it working myself :)
There is no DTLS support in Nim.
This is something that we will likely slowly work toward at Status (Nim biggest backer https://nim-lang.org/sponsors.html) as it's needed for WebRTC.
Is there any way to request this feature in future? Networks aren't my forte, so it's all a bit above me, though I will keep trying to get it working myself :)
OpenSSL is a notoriously hard library to use. I suggest you look at example repos like this: https://github.com/paullouisageneau/libdatachannel/blob/34e7d48/src/impl/dtlstransport.cpp#L370-L638
That's not enough, the client and server need to negotiate the secret key to be able to use encryption (or better AEAD, authenticated encryption).
In libsodium that's in the key exchange session: https://doc.libsodium.org/key_exchange/
Note that creating protocols like this is the dangerous part of "rolling your own crypto", and they are untestable against a reference implementation so don't use it for sensitive data, only for learning.
@federico3 Ah, that's a shame, but understandable. Thanks for the links! The TFTP protocol provides a basic retransmission scheme. I believe the authors chose UDP because it was the simplest available, though it's not a requirement. I could switch to TCP, but I'm enjoying figuring this all out
@mratsim Thanks for the help! I've got a basic DTLS server working in C now, so I'll work towards improving and porting it. If I get a working Nim version I'll post a GitHub link for anyone that stumbles on this in future. And yeah, I figured it's best to use openssl DTLS to avoid implementing my own encryption for that very reason. Not like my code'll be used for anything important, but best practices and all that