[SPAM] Hello fellow devs!
Tim Panton
thp at westhawk.co.uk
Fri Mar 8 09:56:16 UTC 2024
> On 8 Mar 2024, at 07:47, Daniel Jeliński <djelinski1 at gmail.com> wrote:
>
> Hi Paul,
> If you're interested in dealing with handshake extensions from user code, that is currently not possible. SSLEngine abstracts away all TLS messaging. SSLParameters can be used to configure a limited subset of extensions to send (like server_name or application protocol), and the negotiated application protocol can be retrieved from SSLEngine, and that's pretty much it.
>
> Use_srtp extension is not currently supported by JSSE. If you want to add that support, you'd need to add the appropriate enum values to sun.security.ssl.SSLExtension, using the constructors that specify a producer and a consumer. I'm not familiar with WebRTC or SRTP, so I don't know how that would interact with the rest of the code.
>
> If you have an idea how WebRTC / SRTP support could be implemented in JSSE, this is the right place for that discussion.
>
> Regards,
> Daniel
Daniel, hi, following up on Paul’s question…
I've done an integration with BouncyCastle DTLS API with WebRTC’s SRTP (and indirectly paid for the api to exist), here’s what I remember was needed:
1) Ability to inject and receive DTLS packets via a socket-like interface
- WebRTC muxes several protocols onto the same 5tuple ports so we need to manage the packet traffic from a UDP socket before it gets to DTLS.
- In some cases the DTLS packet is wrapped in a TURN packet on the wire - so you cant’t even assume the packet came in on UDP.
2) Ability to set and detect the use_srtp Extension
3) Ability to verify the self signed cert offered in the handshake
4) Ability to manage the handshake timeouts
5) Ability to extract the keyring material post handshake
I haven’t kept up with JSSE DTLS but I don’t remember any of those API points being available.
It would be nice to be able to use JDK/JSSE but to be honest I’m pretty happy with BouncyCastle.
There is an example of our use here :
https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java
whipi/src/main/java/pe/pi/whipi/DTLS.java at d0fe6c06f5b34fa832d1ebce0bd228f066920da0 · pipe/whipi
github.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240308/31cf053e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: whipi.png
Type: image/png
Size: 43712 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240308/31cf053e/whipi.png>
More information about the security-dev
mailing list