Hi Tim, Thanks for the info! Some comments below: - It is possible to inject and receive DTLS packets via a socket interface. However, demultiplexing of incoming packets is not supported. - Use_srtp extension is not implemented. Key material extraction is not supported either. - Certificate verification is possible using a custom X509TrustManager; the certificate can also be verified by the application after the handshake. - Timeouts are managed by the application. Most DTLS handshake packets can be retransmitted on demand, but see JDK-8263571 <https://bugs.openjdk.org/browse/JDK-8263571>.
Cheers, Daniel pt., 8 mar 2024 o 10:56 Tim Panton <t...@westhawk.co.uk> napisał(a): > > > On 8 Mar 2024, at 07:47, Daniel Jeliński <djelins...@gmail.com> wrote: > > Hi Paul, > If you're interested in dealing with handshake extensions from user code, > that is currently not possible. SSLEngine abstracts away all TLS messaging. > SSLParameters can be used to configure a limited subset of extensions to > send (like server_name or application protocol), and the negotiated > application protocol can be retrieved from SSLEngine, and that's pretty > much it. > > Use_srtp extension is not currently supported by JSSE. If you want to add > that support, you'd need to add the appropriate enum values to > sun.security.ssl.SSLExtension, using the constructors that specify a > producer and a consumer. I'm not familiar with WebRTC or SRTP, so I don't > know how that would interact with the rest of the code. > > If you have an idea how WebRTC / SRTP support could be implemented in > JSSE, this is the right place for that discussion. > > Regards, > Daniel > > > Daniel, hi, following up on Paul’s question… > > I've done an integration with BouncyCastle DTLS API with WebRTC’s SRTP > (and indirectly paid for the api to exist), here’s what I remember was > needed: > > 1) Ability to inject and receive DTLS packets via a socket-like interface > - WebRTC muxes several protocols onto the same 5tuple ports so we need to > manage the packet traffic from a UDP socket before it gets to DTLS. > - In some cases the DTLS packet is wrapped in a TURN packet on the wire - > so you cant’t even assume the packet came in on UDP. > 2) Ability to set and detect the use_srtp Extension > 3) Ability to verify the self signed cert offered in the handshake > 4) Ability to manage the handshake timeouts > 5) Ability to extract the keyring material post handshake > > I haven’t kept up with JSSE DTLS but I don’t remember any of those API > points being available. > > It would be nice to be able to use JDK/JSSE but to be honest I’m pretty > happy with BouncyCastle. > > There is an example of our use here : > [image: whipi.png] > > whipi/src/main/java/pe/pi/whipi/DTLS.java at > d0fe6c06f5b34fa832d1ebce0bd228f066920da0 · pipe/whipi > <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java> > github.com > <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java> > > <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java> > >
