[SPAM] Hello fellow devs!
Daniel Jeliński
djelinski1 at gmail.com
Fri Mar 15 11:29:08 UTC 2024
Hi Tim,
Thanks for the info! Some comments below:
- It is possible to inject and receive DTLS packets via a socket interface.
However, demultiplexing of incoming packets is not supported.
- Use_srtp extension is not implemented. Key material extraction is not
supported either.
- Certificate verification is possible using a custom X509TrustManager; the
certificate can also be verified by the application after the handshake.
- Timeouts are managed by the application. Most DTLS handshake packets can
be retransmitted on demand, but see JDK-8263571
<https://bugs.openjdk.org/browse/JDK-8263571>.
Cheers,
Daniel
pt., 8 mar 2024 o 10:56 Tim Panton <thp at westhawk.co.uk> napisał(a):
>
>
> On 8 Mar 2024, at 07:47, Daniel Jeliński <djelinski1 at gmail.com> wrote:
>
> Hi Paul,
> If you're interested in dealing with handshake extensions from user code,
> that is currently not possible. SSLEngine abstracts away all TLS messaging.
> SSLParameters can be used to configure a limited subset of extensions to
> send (like server_name or application protocol), and the negotiated
> application protocol can be retrieved from SSLEngine, and that's pretty
> much it.
>
> Use_srtp extension is not currently supported by JSSE. If you want to add
> that support, you'd need to add the appropriate enum values to
> sun.security.ssl.SSLExtension, using the constructors that specify a
> producer and a consumer. I'm not familiar with WebRTC or SRTP, so I don't
> know how that would interact with the rest of the code.
>
> If you have an idea how WebRTC / SRTP support could be implemented in
> JSSE, this is the right place for that discussion.
>
> Regards,
> Daniel
>
>
> Daniel, hi, following up on Paul’s question…
>
> I've done an integration with BouncyCastle DTLS API with WebRTC’s SRTP
> (and indirectly paid for the api to exist), here’s what I remember was
> needed:
>
> 1) Ability to inject and receive DTLS packets via a socket-like interface
> - WebRTC muxes several protocols onto the same 5tuple ports so we need to
> manage the packet traffic from a UDP socket before it gets to DTLS.
> - In some cases the DTLS packet is wrapped in a TURN packet on the wire -
> so you cant’t even assume the packet came in on UDP.
> 2) Ability to set and detect the use_srtp Extension
> 3) Ability to verify the self signed cert offered in the handshake
> 4) Ability to manage the handshake timeouts
> 5) Ability to extract the keyring material post handshake
>
> I haven’t kept up with JSSE DTLS but I don’t remember any of those API
> points being available.
>
> It would be nice to be able to use JDK/JSSE but to be honest I’m pretty
> happy with BouncyCastle.
>
> There is an example of our use here :
> [image: whipi.png]
>
> whipi/src/main/java/pe/pi/whipi/DTLS.java at
> d0fe6c06f5b34fa832d1ebce0bd228f066920da0 · pipe/whipi
> <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java>
> github.com
> <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java>
>
> <https://github.com/pipe/whipi/blob/d0fe6c06f5b34fa832d1ebce0bd228f066920da0/src/main/java/pe/pi/whipi/DTLS.java>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240315/ba63f7b7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: whipi.png
Type: image/png
Size: 43712 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240315/ba63f7b7/whipi.png>
More information about the security-dev
mailing list