DTLS Support
Scott Palmer
swpalmer at gmail.com
Mon Jul 27 20:24:16 UTC 2020
My goal is implementing a server that can stream video to a browser using the WebRTC standard. WebRTC has good browser support and requires only a few lines of JavaScript code on the client side making it an ideal means to send low-latency video. It has many advantages over other mechanisms like HLS.
I got quite far into it, getting bits and pieces of WebRTC implemented in Java. This includes exchanging SDP Offer/Answer messages and initiating ICE/STUN/TURN protocols to establish connectivity.
At that point WebRTC requires a DTLS handshake that includes the use_srtp extension in both the Client and Server Hello
messages. (For media connections anyway.)
I found some sample code for implementing DTLS in Java (DTLSOverDatagram.java from bug 8043758) and tried to make it work. That’s when I discovered that the use_srtp extension was not supported. I could find no way of implementing it myself using the existing classes in the JDK (SSLEngine).
I had hoped, since WebRTC was explicitly called out as motivation for implementing DTLS, that the subsequent DTLS support would actually be usable to make a WebRTC media connection. It seems that while steps were made toward that goal, it wasn’t enough to get there. See the link in my initial message to RFC 5764 (section 4.1) for more information.
Other implementations of WebRTC in Java (e.g. Jitsi) are forced to use the popular Bouncy Castle libraries and implement DTLS without any support from the core Java classes. That is the direction I’m pursuing now, while trying to keep things light-weight. (The Jitsi platform is massive and very poirl documented.)
On another note, it would be really great if creating a certificate was supported in Java SSE. The code is there in the JDK to support keytool, but not as a publicly accessible API. A self-signed certificate is used by WebRTC.
Thank you very much for your consideration.
Scott
> On Jul 27, 2020, at 11:44 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
> Hi Scott,
>
> Thanks for the feedback. May I have more information if there is a real project/requirement for the use_srtp extension? As would help me plan for the priority for the support.
>
>
> I'm thinking about to support more flexible extension customization, but for now it is not easy to add extension from application level.
>
> Thanks,
> Xuelei
>
>>> On 7/20/2020 11:00 AM, Scott Palmer wrote:
>> When DTLS support was added in https://bugs.openjdk.java.net/browse/JDK-8043758 DTLS-SRTP and WebRTC were specifically mentioned in the motivation. However, DTLS- SRTP requires the ‘use_srtp’ extension to be in the handshake. (https://tools.ietf.org/html/rfc5764#section-4.1)
>> It appears that extension is still not supported as of JDK 14.
>> Is support for “use_srtp” planned?
>> Is there any way to add extensions to the handshake from the application level?
>> If not, are there any plans to add a mechanism that would allow such customization of the extensions used by the SSLEngine?
>> Scott
More information about the security-dev
mailing list