> On 8 Mar 2024, at 07:47, Daniel Jeliński <[email protected]> wrote:
>
> Hi Paul,
> If you're interested in dealing with handshake extensions from user code,
> that is currently not possible. SSLEngine abstracts away all TLS messaging.
> SSLParameters can be used to configure a limited subset of extensions to send
> (like server_name or application protocol), and the negotiated application
> protocol can be retrieved from SSLEngine, and that's pretty much it.
>
> Use_srtp extension is not currently supported by JSSE. If you want to add
> that support, you'd need to add the appropriate enum values to
> sun.security.ssl.SSLExtension, using the constructors that specify a producer
> and a consumer. I'm not familiar with WebRTC or SRTP, so I don't know how
> that would interact with the rest of the code.
>
> If you have an idea how WebRTC / SRTP support could be implemented in JSSE,
> this is the right place for that discussion.
>
> Regards,
> Daniel
Daniel, hi, following up on Paul’s question…
I've done an integration with BouncyCastle DTLS API with WebRTC’s SRTP (and
indirectly paid for the api to exist), here’s what I remember was needed:
1) Ability to inject and receive DTLS packets via a socket-like interface
- WebRTC muxes several protocols onto the same 5tuple ports so we need
to manage the packet traffic from a UDP socket before it gets to DTLS.
- In some cases the DTLS packet is wrapped in a TURN packet on the wire
- so you cant’t even assume the packet came in on UDP.
2) Ability to set and detect the use_srtp Extension
3) Ability to verify the self signed cert offered in the handshake
4) Ability to manage the handshake timeouts
5) Ability to extract the keyring material post handshake
I haven’t kept up with JSSE DTLS but I don’t remember any of those API points
being available.
It would be nice to be able to use JDK/JSSE but to be honest I’m pretty happy
with BouncyCastle.
There is an example of our use here :
https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java
whipi/src/main/java/pe/pi/whipi/DTLS.java at
d0fe6c06f5b34fa832d1ebce0bd228f066920da0 · pipe/whipi
github.com