On 1/29/26 10:44 PM, James Hanley via stunnel-users wrote:
I’m not sure if this is the right forum but adding CoAP/CoAP support analogous to http/https but for both TCP/TLS & UDP/DTLS would be useful for testing. -Jim
If you run CoAP over TCP (RFC 8323) with coaps+tcp:// (that is, CoAP over TCP secured with TLS), stunnel should work for you as it is. Since CoAP does not support in-band security negotiation (security is selected via the URI scheme, similar to HTTP vs HTTPS), what you need is likely either: 1. DTLS support for stunnel (I added it to https://www.stunnel.org/TODO.html). Pros: - Fairly easy to implement. - Protocol agnostic (will encapsulate most UDP-based protocols, and not just CoAP). Cons: - Does not support CoAP-specific end-to-end features enabled by OSCORE (for example, proxy caching of protected responses). - Requires OpenSSL, which is often too heavy for smaller IoT devices. 2. A dedicated CoAP↔OSCORE wrapper (analogous to stunnel as a TCP↔TLS wrapper). This would not be a transparent tunnel, but a CoAP-aware wrapper that terminates and re-originates CoAP messages. Pros: - Additional CoAP-specific features. - Can be implemented with a tiny cryptographic library. Cons: - Way more complex to implement than just adding DTLS support to stunnel. - Only useful with CoAP. Does my analysis make sense? Please contact me directly if you consider sponsoring additional features. Best regards, Mike