2

Hi I'm working on server/Client project with C# that uses both TCP (for logging in and other stuff) and UDP (for streaming voice ). The problem is that I need to use sslStream for UDP but as far as I know its not possible to make SSL authentication with unguaranteed protocol. So is there anyway to make the authentication using TCP then use the sslStream for UDP?

Farid Fereidooni
  • 131
  • 1
  • 12

1 Answers1

2

Not knowing much about C# and sslStream, but: UDP is a datagram protocol and it does not guarantee that packet delivery, order and even can cause duplicate delivery. TCP instead is a stream protocol which guaranteed delivery etc. TLS works only on top of a protocol like TCP and not on top of UDP.

For UDP you would need to use DTLS instead. According to Wikipedia the Microsoft TLS Stack SChannel support DTLS 1.0 since Windows 7 and Windows 2008 R2. But when searching for C# DTLS lots of questions show up but nothing which would indicate that there is native support for DTLS with C#. But some third party libraries show up in this search which might help with your problem.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks for your answer. Yes unfortunately there is no native library for .Net and I just found openSSL that gives wrapper class for .Net but I couldnt find anything about DTLS in its documentation while they support it :(. do you know any place I could start learning it? – Farid Fereidooni May 01 '16 at 15:19
  • @farid_92: unfortunately not really. If your are search for DTLS examples you will find various but mostly in C, so you need to apply this to C# somehow. I have no idea about the API the OpenSSL bindings provide for .NET but even the documentation about their C API lacks a lot so one has often learn from looking at examples (if available) or the source code itself :( – Steffen Ullrich May 01 '16 at 16:02
  • [DTLS.Net](https://github.com/CreatorDev/DTLS.Net) implements limited DTLS, see the README. Since it does not have CA verification, then it makes the project feasible just for the server-server communication. – xmedeko Jun 05 '18 at 06:55
  • @xmedeko: *"Since it does not have CA verification, then it makes the project feasible just for the server-server communication. "* - This statement makes no sense in my opinion. There is always a client role and server role in TLS/DTLS, i.e. the client is the one initiating the TLS handshake and the server is the one accepting the client. Authentication of the server side by the client side is always needed in TLS/DTLS since otherwise active man in the middle attacks could not be detected. Authentication is usually done with certificate but can be done in other ways, for example with PSK. – Steffen Ullrich Jun 05 '18 at 07:59
  • Do not know DTLS.NET in details. IMO it means you have to securely transfer the client certificate to the client machine prior the communication starts. Which is acceptable limitation for some environments, while may be a blocker for a common public client - server use. – xmedeko Jun 05 '18 at 11:37
  • @SteffenUllrich I've read the [Bouncy Castle](http://www.bouncycastle.org/csharp/) should have DTLS, too. But I've not studied the details of it. – xmedeko Jun 05 '18 at 11:39
  • @xmedeko: for me it looks like a very limited project which was only developed for a specific use case, supports only very few ciphers, supports only authentication with PSK (no certificate) and ECDSA (ECC certificate, but no check against CA) and not the common RSA certificates at all. No development to fix this was done in the last two years so I would consider it unfinished but abandoned. – Steffen Ullrich Jun 05 '18 at 11:52