> On 8 Mar 2024, at 07:47, Daniel Jeliński <[email protected]> wrote:
> 
> Hi Paul,
> If you're interested in dealing with handshake extensions from user code, 
> that is currently not possible. SSLEngine abstracts away all TLS messaging. 
> SSLParameters can be used to configure a limited subset of extensions to send 
> (like server_name or application protocol), and the negotiated application 
> protocol can be retrieved from SSLEngine, and that's pretty much it.
> 
> Use_srtp extension is not currently supported by JSSE. If you want to add 
> that support, you'd need to add the appropriate enum values to 
> sun.security.ssl.SSLExtension, using the constructors that specify a producer 
> and a consumer. I'm not familiar with WebRTC or SRTP, so I don't know how 
> that would interact with the rest of the code.
> 
> If you have an idea how WebRTC / SRTP support could be implemented in JSSE, 
> this is the right place for that discussion.
> 
> Regards,
> Daniel

Daniel, hi, following up on Paul’s question… 

I've done an integration with BouncyCastle DTLS API with WebRTC’s SRTP (and 
indirectly paid for the api to exist), here’s what I remember was needed:

1) Ability to inject and receive DTLS packets via a socket-like interface
        - WebRTC muxes several protocols onto the same 5tuple ports so we need 
to manage the packet traffic from a UDP socket before it gets to DTLS. 
        - In some cases the DTLS packet is wrapped in a TURN packet on the wire 
- so you cant’t even assume the packet came in on UDP.
2) Ability to set and detect the use_srtp Extension
3) Ability to verify the self signed cert offered in the handshake
4) Ability to manage the handshake timeouts 
5) Ability to extract the keyring material post handshake

I haven’t kept up with JSSE DTLS but I don’t remember any of those API points 
being available.

It would be nice to be able to use JDK/JSSE but to be honest I’m pretty happy 
with BouncyCastle.

There is an example of our use here :
https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java
whipi/src/main/java/pe/pi/whipi/DTLS.java at 
d0fe6c06f5b34fa832d1ebce0bd228f066920da0 · pipe/whipi
github.com
 

Reply via email to