I’m not sure if this is the right forum but adding CoAP/CoAP support analogous to http/https but for both TCP/TLS & UDP/DTLS would be useful for testing. -Jim
If you run CoAP over TCP (RFC 8323) with coaps+tcp:// (that is, CoAP over TCP secured with TLS), stunnel should work for you as it is.
Since CoAP does not support in-band security negotiation (security is selected via the URI scheme, similar to HTTP vs HTTPS), what you need is likely either:
1. DTLS support for stunnel (I added it to https://www.stunnel.org/TODO.html).Pros:
- Fairly easy to implement.
- Protocol agnostic (will encapsulate most UDP-based protocols,
and not just CoAP).
Cons:
- Does not support CoAP-specific end-to-end features enabled by
OSCORE (for example, proxy caching of protected responses).
- Requires OpenSSL, which is often too heavy for smaller IoT
devices.
2. A dedicated CoAP↔OSCORE wrapper (analogous to stunnel as a TCP↔TLS wrapper). This would not be a transparent tunnel, but a CoAP-aware wrapper that terminates and re-originates CoAP messages.
Pros:
- Additional CoAP-specific features.
- Can be implemented with a tiny cryptographic library.
Cons:
- Way more complex to implement than just adding DTLS support to
stunnel.
- Only useful with CoAP.
Does my analysis make sense? Please contact me directly if you consider sponsoring additional features.
Best regards,
Mike