Determining when DTLS handshake has finished
625 views
Skip to first unread message
kevinde...@googlemail.com
Mar 28, 2013, 10:56:55 AM3/28/13
to discuss...@googlegroups.com
How can an application determine when the DTLS handshake has completed and RTP started flowing?
I've seen a couple of situations where the DTLS handshake doesn't work.
The first is where both sides are passive (server mode) due to nobody including the a=setup:xxx attribute in the SDP.
The second is when packet loss has caused the first 'certificate verify' packet to be lost and a bug in OpenSSL means that the retransmissions get ignored.
Note that in these cases ICE has completed the checks successfully.
Mamadou
Mar 28, 2013, 11:26:09 AM3/28/13
to discuss-webrtc
- it's up the peers to re transmit the DTLS messages. Haven't noticed
any issue on openssl 1.0.1c about it.
- the handshaking is finished when 'SSL_is_init_finished()' returns
true but at this state you're still not ready to receive data as you
don't have SRTP keys yet
- SRTP keys will be sent DTLS-encrypted. Use
SSL_export_keying_material("EXTRACTOR-dtls_srtp") for the keys and
"SSL_get_selected_srtp_profile()" for the SRTP profile
- when both sides are passive or active, you can detect it easily and
recover:
if(dtlsData[0] == 0x16){ means it's handshake message
// dtlsData[13] == 0x01 -> Client Hello
// dtlsData[13] == 0x02 -> Server Hello
// more info in rfc6347
any issue on openssl 1.0.1c about it.
- the handshaking is finished when 'SSL_is_init_finished()' returns
true but at this state you're still not ready to receive data as you
don't have SRTP keys yet
- SRTP keys will be sent DTLS-encrypted. Use
SSL_export_keying_material("EXTRACTOR-dtls_srtp") for the keys and
"SSL_get_selected_srtp_profile()" for the SRTP profile
- when both sides are passive or active, you can detect it easily and
recover:
if(dtlsData[0] == 0x16){ means it's handshake message
// dtlsData[13] == 0x01 -> Client Hello
// dtlsData[13] == 0x02 -> Server Hello
// more info in rfc6347
kevinde...@googlemail.com
Mar 28, 2013, 11:45:33 AM3/28/13
to discuss...@googlegroups.com
The primary issue here is how does the javascript app in the browser discover when RTP is flowing.
The OpenSSL bug has been reported, see http://rt.openssl.org/Ticket/Display.html?id=2958
Vikas
Mar 29, 2013, 8:11:33 PM3/29/13
to discuss-webrtc
Hi Kevin,
I think you can probably rely on statistics from getStats to see RTP
is flowing or maybe monitor the ICEConnectionState once it's connected/
completed.
/Vikas
On Mar 28, 8:45 am, kevindempse...@googlemail.com wrote:
> The primary issue here is how does the javascript app in the browser
> discover when RTP is flowing.
>
> The OpenSSL bug has been reported,
> seehttp://rt.openssl.org/Ticket/Display.html?id=2958
I think you can probably rely on statistics from getStats to see RTP
is flowing or maybe monitor the ICEConnectionState once it's connected/
completed.
/Vikas
On Mar 28, 8:45 am, kevindempse...@googlemail.com wrote:
> The primary issue here is how does the javascript app in the browser
> discover when RTP is flowing.
>
> The OpenSSL bug has been reported,
kevinde...@googlemail.com
Apr 2, 2013, 5:06:46 AM4/2/13
to discuss...@googlegroups.com
Is there any way to find out about failures? Such as the fingerprint not matching the SDP or an expired certificate etc.
Vikas
Apr 2, 2013, 8:33:20 PM4/2/13
to discuss-webrtc
There has been discussion of adding an event to PeerConnection to
propagate errors like this to the application. However, nothing has
been finalized yet.
/Vikas
propagate errors like this to the application. However, nothing has
been finalized yet.
/Vikas
Reply all
Reply to author
Forward
0 new messages