PSA: Introducing better checking of STUN messages

[Harald Alvestrand]

It's come to our attention that libwebrtc failed to follow the specs when it came to placement of message integrity attributes; the specs say that these should always be last in the message, followed by FINGERPRINT, and anything after that should be ignored.

libwebrtc will start policing this Real Soon Now; if your code is depending on such misordered attributes, it's time to make a change.

Harald

[[MSFT] Diego Perez Botero]

 Could you please confirm whether this call to action is specifically for non-libwebrtc implementations?  Backwards compatibility between peers running newer/stricter versions of libwebrtc and peers running older versions of libwebrtc wouldn't be impacted, right?

[Philipp Hancke]

all sane implementations I am aware of follow this when generating STUN messages. Some, including libWebRTC, don't strictly follow

   With the exception of the FINGERPRINT 
   attribute, which appears after MESSAGE-INTEGRITY, agents MUST ignore
   all other attributes that follow MESSAGE-INTEGRITY.

from RFC 5389 (or the equivalent section 9 from RFC 8489)

--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/discuss-webrtc/ad4fb284-346e-4bf2-bf55-74ae26b5e3abn%40googlegroups.com.