Improve support for Transport Layer Security (TLS) protocol

[brainslog]

Currently the TLS support in Diameter stack is somewhat "proprietary", based mostly on the way RFC 6733 specifies, and it's known to work properly between two jDiameter instances but not so much with other stack implementations.

This should be revised and made available in both modes (RFC 3588 and RFC 6733), being defined by configuration (if possible, on a per peer basis).

It should be tested against other implementations (freeDiameter, seagull, etc).

[deruelle]

@coolface88 I assigned the issue to you. Feel free to ask any questions here or/and report back regularly on progress. Thanks !

[coolface88]

Great! I will do some investigation first. Thanks

[coolface88]

I have built jDiameter successfully, now I am digging into the code and docs for insights..I am also trying to setup segull and the simulator found in this link http://docs.telestax.com/jdiameter-quick-telscale-diameter-performance-testing-using-seagull/

[deruelle]

Thanks for the update @coolface88 !

[coolface88]

I have excuted TLS testing scenarios configured with seagull client and jDiameter server..get an error of SSL_ERROR_WANT_READ from openssl..I will analyse more from tcpdump and enabled debug log.

[deruelle]

Thanks for the update @coolface88, keep us updated

[brainslog]

@coolface88, it's somewhat expected that Seagull and jDiameter won't work properly with TLS. IIRC in jDiameter it's being used RFC 6733 compliant TLS (CER is sent over TLS connection) while seagull uses RFC 3588 TLS (where CER is exchanged and only after successful capabilities negotiation, the transport is upgraded to TLS).

Having the RFC 3588 behavior implemented would be a good first step, after that, adding the possibility to choose between the different types, via configuration.

[coolface88]

@brainslog, thanks for your info..it is actually Seagull can work with both RFC 3588 and RFC 6733 based on its configuration scenerios. I was able to test both of them and it worked. At a first glance, I think jDiameter is complying with RFC 3588 not RFC 6733. Anyway I undersand your requirement will do it :)

[deruelle]

@coolface88 were you able to make progress on this ?

[coolface88]

@deruelle Hi, sorry last week I did not touch much. I have excuted the client/server with trace log enabled and understood the execution flow. I have changed the jDiameter code of server side to work with TLS. Hopefully, I will finish this week. Thanks , BR ... Hung