[Nice] DTLS support with libnice

Rajarshi Chaudhuri Rajarshi.Chaudhuri at genesyslab.com
Mon Aug 26 10:08:14 PDT 2013 

Thx Youness. Yes the localhost socket approach is one thing for sure as you mentioned. Actually on double check I see the BIO structs in OpenSSL allows us do this without using the socket directly (or changing libnice).  Will try both paths and see.

- Rajarshi

-----Original Message-----
From: nice-bounces+rajarshi=genesyslab.com at lists.freedesktop.org [mailto:nice-bounces+rajarshi=genesyslab.com at lists.freedesktop.org] On Behalf Of Youness Alaoui
Sent: Friday, August 23, 2013 6:28 AM
To: nice at lists.freedesktop.org
Subject: Re: [Nice] DTLS support with libnice

Hi Rajarshi,

While you could theoretically access the socket directly, it would not be a good thing to do because you would still be receiving STUN keep alive messages which openssl wouldn't be able to parse as DTLS. libnice also has a mechanism for detecting dropped connections, so if you hijack that, it might suddenly go to a failed state. And most importantly, you don't really know which path is going to be chosen, if it goes through a TURN relay, then there needs to be some payloading of each message to tell the TURN server to which channel to send the packets, or on reception, the TURN server will tell us where the packet is actually coming from. If you just use SSL_write and it sends on the socket directly, then it will break TURN support.

One possible solution could be for you to create a localhost socket and use openssl on it, when you SSL_Write to it, you'd have another thread reading on the other end whatever openssl sent over that socket, and then you would nice_agent_send it to the peer.. and when you receive data from the peer, you could write it to the localhost socket, and let openssl receive and decode it.
It's not perfect, but it could be a quick and functional way of doing it, if openssl API doesn't allow you to do DTLS without hooking directly into a socket.
Other possibility is to see if gnu-tls allows you to do it more easily without that sort of hack.

Good luck,
Youness.

On 08/20/2013 02:05 PM, Rajarshi Chaudhuri wrote:
> Thx Olivier for your reply. I guess based on our timeline - we need to do something similar and quick.
> 
> - RCC
> 
> -----Original Message-----
> From: Olivier Crête [mailto:olivier.crete at collabora.com]
> Sent: Tuesday, August 20, 2013 10:37 AM
> To: Rajarshi Chaudhuri
> Cc: 'nice at lists.freedesktop.org'
> Subject: Re: [Nice] DTLS support with libnice
> 
> On Tue, 2013-08-20 at 07:35 +0000, Rajarshi Chaudhuri wrote:
>> So my question - is  there a way to access the UDP sockets used by 
>> libnice so that we could set up DTLS [using open-ssl]. Note that, 
>> once DTLS handshake is completed, though the actual data is not sent 
>> as DTLS records with SRTP, the data may still need to be sent using
>> SSL_write() - see http://tools.ietf.org/html/rfc5764#section-5.1.1.
>> Also on receiving, as described in section 5.1.2 of the same RFC, we 
>> need to handle SRTP and DTLS messages, and the latter needs to be 
>> handled by open-ssl.
>>
>> Is there other ways of supporting DTLS in libnice directly?
> 
> The way DTLS should be done over libnice is to have a socket abstraction layer and them implement DTLS on top of that. I've done such an implementation in GLib [1][2][3], but it was not merged due to some very real concerns, I haven't had time to re-do it better, but hopefully we can get it done in the near future.
> 
> So depending on what your timeline is you can either wait for us to do it or do something similar.
> 
> [1] https://bugzilla.gnome.org/show_bug.cgi?id=697907
> [2] https://bugzilla.gnome.org/show_bug.cgi?id=697908
> [3] https://bugzilla.gnome.org/show_bug.cgi?id=697909
> 
> --
> Olivier Crête
> olivier.crete at collabora.com
> 
> _______________________________________________
> nice mailing list
> nice at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/nice
>

More information about the nice mailing list