DTLS support on Windows
517 views
Skip to first unread message
Rolly Fordham
Nov 19, 2013, 5:51:56 AM11/19/13
to discuss...@googlegroups.com
I'm struggling to get DTLS working on Windows. I am calling talk_base::InitializeSSL(null) and also applying the DtlsSrtpKeyAgreement:true constraint, but I'm assuming that I'm missing a bunch of other steps as createOffer (or createAnswer) always fails for me and I see log errors like "Error: cannot create identity digest with no identity". When the DtlsSrtpKeyAgreement constraint is false I can generate offers and answers just fine.
I noticed in sslconfig.h that it looks like SChannel will be used on Windows by default unless you explicitly elect to use OpenSSL or NSS (via the SSL_USE_SCHANNEL or SSL_USE_OPENSSL defines) but I can't see Where or If they would be set on Windows. Android, iOS, and Posix all seem to enable them (in common.gypi) it's just Windows that doesn't seem to. It seems like SSLIdentity::FromPEMStrings always returns NULL when SChannel is in play, which would explain the errors I'm seeing.
What's the correct way of enabling OpenSSL (or NSS if I should be using that instead) on Windows? Should I be building OpenSSL and then modifying the various WebRTC build files to reference it?
I've done a bunch of searching on discuss-webrtc without much success. I did find https://code.google.com/p/webrtc/issues/detail?id=1838, which seemed promising, but the issue has alredy been closed as 'fixed' without mentioning what the resolution was.
I'd appreciate any insight at this point as I feel like I'm probably missing a couple of obvious steps.
This is on Windows with MS Visual Studio 2010.
I noticed in sslconfig.h that it looks like SChannel will be used on Windows by default unless you explicitly elect to use OpenSSL or NSS (via the SSL_USE_SCHANNEL or SSL_USE_OPENSSL defines) but I can't see Where or If they would be set on Windows. Android, iOS, and Posix all seem to enable them (in common.gypi) it's just Windows that doesn't seem to. It seems like SSLIdentity::FromPEMStrings always returns NULL when SChannel is in play, which would explain the errors I'm seeing.
What's the correct way of enabling OpenSSL (or NSS if I should be using that instead) on Windows? Should I be building OpenSSL and then modifying the various WebRTC build files to reference it?
I've done a bunch of searching on discuss-webrtc without much success. I did find https://code.google.com/p/webrtc/issues/detail?id=1838, which seemed promising, but the issue has alredy been closed as 'fixed' without mentioning what the resolution was.
I'd appreciate any insight at this point as I feel like I'm probably missing a couple of obvious steps.
This is on Windows with MS Visual Studio 2010.
Gustavo García
Nov 19, 2013, 10:12:10 AM11/19/13
to discuss...@googlegroups.com
There is an identity object that you can pass to the peerconnection somewhere? Have you seen it? I can check my code later.
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Rolly Fordham
Nov 19, 2013, 4:57:13 PM11/19/13
to discuss...@googlegroups.com
Hi!
I'm using a thinly modified version of FakeIdentityService (talk\app\webrtc\test\facedtlsidentityservice.h) as a sort of proof of concept identity service. It just uses a hardcoded key and certificate pair.
The modifications I made to it were:
* remove the test specific stuff (should_fail_ bool)
* change the onMessage handler to handle a single message (MSG_REQUEST_IDENTITY)
* trigger the failure handler if GenerateIdentity fails
The service itself seems to be working correctly.
I'm using a thinly modified version of FakeIdentityService (talk\app\webrtc\test\facedtlsidentityservice.h) as a sort of proof of concept identity service. It just uses a hardcoded key and certificate pair.
The modifications I made to it were:
* remove the test specific stuff (should_fail_ bool)
* change the onMessage handler to handle a single message (MSG_REQUEST_IDENTITY)
* trigger the failure handler if GenerateIdentity fails
The service itself seems to be working correctly.
Philipp Hancke
Nov 22, 2013, 12:58:14 AM11/22/13
to discuss...@googlegroups.com
> I'm using a thinly modified version of FakeIdentityService (talk\app\webrtc\test\facedtlsidentityservice.h) as a sort of proof of concept identity service. It just uses a hardcoded key and certificate pair.
I don't think you need that, on linux it's still sufficient to initialize ssl (talk_base::InitializeSSL and talk_base::InitializeSSLThread -- don't forget the cleanup) and add the constraint.
Rolly Fordham
Nov 24, 2013, 6:24:00 PM11/24/13
to discuss...@googlegroups.com, philipp...@googlemail.com
Thanks Philipp, that's good to know.
I'm definitely calling InitializeSSL and InitializeSSLThread as well as adding the constraint. I'll look over how I'm doing everything again and double check that initialising SSL is definitely succeeding.
I'm definitely calling InitializeSSL and InitializeSSLThread as well as adding the constraint. I'll look over how I'm doing everything again and double check that initialising SSL is definitely succeeding.
Philipp Hancke
Dec 9, 2013, 10:39:05 AM12/9/13
to Rolly Fordham, discuss...@googlegroups.com
It seems you need NSS on windows, see https://code.google.com/p/webrtc/issues/detail?q=2707 for some instructions.
Rolly Fordham
Dec 11, 2013, 7:08:29 PM12/11/13
to Philipp Hancke, discuss...@googlegroups.com
Awesome! Your patch to the WebRTC build files worked for me, DTLS is working fine now.
Thanks Philipp!
titho...@gmail.com
Dec 12, 2013, 4:02:52 AM12/12/13
to discuss...@googlegroups.com
Confirmed, it works. Thanks guys.
Reply all
Reply to author
Forward
0 new messages