use_srtp extension for DTLS

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

use_srtp extension for DTLS

Ben Browitt
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ben Browitt
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ingela Andin
Hi!

Sorry for late answer. Yes there are plans to include it. It extension is also part of TLS-1.3 that has priority over DTLS at the moment. We have already  done
some internal changes to extension handling to facilitate the implementation of TLS-1.3 and its co-existing with previous versions.  This is in first hand planned for OTP-22. 

Regards Ingela Erlang/OTP Team - Ericsson AB

Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt <[hidden email]>:
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Andreas Schultz-3
Hi Ingela,

Ingela Andin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 12:27 Uhr:
Hi!

Sorry for late answer. Yes there are plans to include it. It extension is also part of TLS-1.3 that has priority over DTLS at the moment. We have already  done

Can't speak for others, but I would prefer if DTLS-1.3 where give the same priority as TLS-1.3.

Regards
Andreas

some internal changes to extension handling to facilitate the implementation of TLS-1.3 and its co-existing with previous versions.  This is in first hand planned for OTP-22. 

Regards Ingela Erlang/OTP Team - Ericsson AB


Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt <[hidden email]>:
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ben Browitt
What about being able to handle DTLS, STRP and STUN packets on the same UDP socket?
It will be best if I could create a UDP socket in my app, filter packets and pass only DTLS packets to the ssl socket/process.
Without this, DTLS in the ssl app can't be used for WebRTC connections.
Is this also planned?

On Mon, Oct 8, 2018 at 1:48 PM Andreas Schultz <[hidden email]> wrote:
Hi Ingela,

Ingela Andin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 12:27 Uhr:
Hi!

Sorry for late answer. Yes there are plans to include it. It extension is also part of TLS-1.3 that has priority over DTLS at the moment. We have already  done

Can't speak for others, but I would prefer if DTLS-1.3 where give the same priority as TLS-1.3.

Regards
Andreas

some internal changes to extension handling to facilitate the implementation of TLS-1.3 and its co-existing with previous versions.  This is in first hand planned for OTP-22. 

Regards Ingela Erlang/OTP Team - Ericsson AB


Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt <[hidden email]>:
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Loïc Hoguin-3
This seems to be a similar issue to the one I have about tunneling TLS
connections through TLS proxies (particularly the HTTP/2 case), although
my proposed solution would probably not work in your case:
https://bugs.erlang.org/browse/ERL-728

Perhaps we need some kind of socket-less ssl connection process that we
feed directly and that sends us back whatever encrypted data needs to be
sent.

On 10/8/18 1:08 PM, Ben Browitt wrote:

> What about being able to handle DTLS, STRP and STUN packets on the same
> UDP socket?
> It will be best if I could create a UDP socket in my app, filter packets
> and pass only DTLS packets to the ssl socket/process.
> Without this, DTLS in the ssl app can't be used for WebRTC connections.
> Is this also planned?
>
> On Mon, Oct 8, 2018 at 1:48 PM Andreas Schultz
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi Ingela,
>
>     Ingela Andin <[hidden email]
>     <mailto:[hidden email]>> schrieb am Mo., 8. Okt. 2018 um
>     12:27 Uhr:
>
>         Hi!
>
>         Sorry for late answer. Yes there are plans to include it. It
>         extension is also part of TLS-1.3 that has priority over DTLS at
>         the moment. We have already  done
>
>
>     Can't speak for others, but I would prefer if DTLS-1.3 where give
>     the same priority as TLS-1.3.
>
>     Regards
>     Andreas
>
>         some internal changes to extension handling to facilitate the
>         implementation of TLS-1.3 and its co-existing with previous
>         versions.  This is in first hand planned for OTP-22.
>
>         Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>         Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt
>         <[hidden email] <mailto:[hidden email]>>:
>
>             USE_SRTP is defined in dtls_handshake.hrl [1] but it says
>             it's not supported.
>             Are there plans to support it?
>
>             [1]
>             https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_handshake.hrl#L64
>
>             On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt
>             <[hidden email] <mailto:[hidden email]>> wrote:
>
>                 DTLS is missing the use_srtp extension required for
>                 DTLS-SRTP [1].
>                 What's the best way to add it?
>
>                 We need to encode the extension in ssl_handshake.erl
>                 encode_hello_extensions([use_srtp | Rest], Acc) ->
>                      ExtData = <<0,2,0,1,0>>,
>                      Len = byte_size(ExtData),
>                      encode_hello_extensions(Rest,
>                 <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary,
>                 Acc/binary>>).
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L657
>
>                 Define USE_SRTP_EXT in ssl_handshake.hrl
>                 -define(USE_SRTP_EXT, 14).
>
>                 Add use_srtp to the hello_extensions record:
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.hrl#L100
>
>                 Add use_srtp to hello_extensions_list
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L1826
>
>                 Add use_srtp to client_hello_extensions
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L968
>
>                 Add use_srtp to the #ssl_options record
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_internal.hrl#L111
>
>                 [1] https://tools.ietf.org/html/rfc5764#section-4.1
>
>                 Thanks
>
>             _______________________________________________
>             erlang-questions mailing list
>             [hidden email] <mailto:[hidden email]>
>             http://erlang.org/mailman/listinfo/erlang-questions
>
>         _______________________________________________
>         erlang-questions mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://erlang.org/mailman/listinfo/erlang-questions
>
>     --
>     --
>     Dipl.-Inform. Andreas Schultz
>
>     ----------------------- enabling your networks ----------------------
>     Travelping GmbH                     Phone:  +49-391-81 90 99 0
>     Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
>     39108 Magdeburg                     Email: [hidden email]
>     <mailto:[hidden email]>
>     GERMANY                             Web: http://www.travelping.com
>
>     Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
>     Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
>     ---------------------------------------------------------------------
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Andreas Schultz-3
Loïc Hoguin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 13:39 Uhr:
This seems to be a similar issue to the one I have about tunneling TLS
connections through TLS proxies (particularly the HTTP/2 case), although
my proposed solution would probably not work in your case:
https://bugs.erlang.org/browse/ERL-728

You can already use the cb_info option with a custom transport module to build that. 

In theory, the STRP and STUN over DTLS use case should be doable with that as well.
Ingela recently fixed a few things in the DTLS module recently [1] to make this work.

I always meant to port my CAPWAP DTLS use case to this, but havn't gotten the
time to actually to it.

Andreas




Perhaps we need some kind of socket-less ssl connection process that we
feed directly and that sends us back whatever encrypted data needs to be
sent.

On 10/8/18 1:08 PM, Ben Browitt wrote:
> What about being able to handle DTLS, STRP and STUN packets on the same
> UDP socket?
> It will be best if I could create a UDP socket in my app, filter packets
> and pass only DTLS packets to the ssl socket/process.
> Without this, DTLS in the ssl app can't be used for WebRTC connections.
> Is this also planned?
>
> On Mon, Oct 8, 2018 at 1:48 PM Andreas Schultz
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi Ingela,
>
>     Ingela Andin <[hidden email]
>     <mailto:[hidden email]>> schrieb am Mo., 8. Okt. 2018 um
>     12:27 Uhr:
>
>         Hi!
>
>         Sorry for late answer. Yes there are plans to include it. It
>         extension is also part of TLS-1.3 that has priority over DTLS at
>         the moment. We have already  done
>
>
>     Can't speak for others, but I would prefer if DTLS-1.3 where give
>     the same priority as TLS-1.3.
>
>     Regards
>     Andreas
>
>         some internal changes to extension handling to facilitate the
>         implementation of TLS-1.3 and its co-existing with previous
>         versions.  This is in first hand planned for OTP-22.
>
>         Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>         Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt
>         <[hidden email] <mailto:[hidden email]>>:
>
>             USE_SRTP is defined in dtls_handshake.hrl [1] but it says
>             it's not supported.
>             Are there plans to support it?
>
>             [1]
>             https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_handshake.hrl#L64
>
>             On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt
>             <[hidden email] <mailto:[hidden email]>> wrote:
>
>                 DTLS is missing the use_srtp extension required for
>                 DTLS-SRTP [1].
>                 What's the best way to add it?
>
>                 We need to encode the extension in ssl_handshake.erl
>                 encode_hello_extensions([use_srtp | Rest], Acc) ->
>                      ExtData = <<0,2,0,1,0>>,
>                      Len = byte_size(ExtData),
>                      encode_hello_extensions(Rest,
>                 <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary,
>                 Acc/binary>>).
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L657
>
>                 Define USE_SRTP_EXT in ssl_handshake.hrl
>                 -define(USE_SRTP_EXT, 14).
>
>                 Add use_srtp to the hello_extensions record:
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.hrl#L100
>
>                 Add use_srtp to hello_extensions_list
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L1826
>
>                 Add use_srtp to client_hello_extensions
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L968
>
>                 Add use_srtp to the #ssl_options record
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_internal.hrl#L111
>
>                 [1] https://tools.ietf.org/html/rfc5764#section-4.1
>
>                 Thanks
>
>             _______________________________________________
>             erlang-questions mailing list
>             [hidden email] <mailto:[hidden email]>
>             http://erlang.org/mailman/listinfo/erlang-questions
>
>         _______________________________________________
>         erlang-questions mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://erlang.org/mailman/listinfo/erlang-questions
>
>     --
>     --
>     Dipl.-Inform. Andreas Schultz
>
>     ----------------------- enabling your networks ----------------------
>     Travelping GmbH                     Phone:  +49-391-81 90 99 0
>     Roentgenstr. 13                     Fax:    <a href="tel:+49%20391%20819099299" value="+49391819099299" target="_blank">+49-391-81 90 99 299
>     39108 Magdeburg                     Email: [hidden email]
>     <mailto:[hidden email]>
>     GERMANY                             Web: http://www.travelping.com
>
>     Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
>     Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
>     ---------------------------------------------------------------------
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ben Browitt
Andreas, any chance for a simple code showing how to handle SRTP/STUN/DTLS with client and server?


On Mon, Oct 8, 2018 at 2:49 PM Andreas Schultz <[hidden email]> wrote:
Loïc Hoguin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 13:39 Uhr:
This seems to be a similar issue to the one I have about tunneling TLS
connections through TLS proxies (particularly the HTTP/2 case), although
my proposed solution would probably not work in your case:
https://bugs.erlang.org/browse/ERL-728

You can already use the cb_info option with a custom transport module to build that. 

In theory, the STRP and STUN over DTLS use case should be doable with that as well.
Ingela recently fixed a few things in the DTLS module recently [1] to make this work.

I always meant to port my CAPWAP DTLS use case to this, but havn't gotten the
time to actually to it.

Andreas




Perhaps we need some kind of socket-less ssl connection process that we
feed directly and that sends us back whatever encrypted data needs to be
sent.

On 10/8/18 1:08 PM, Ben Browitt wrote:
> What about being able to handle DTLS, STRP and STUN packets on the same
> UDP socket?
> It will be best if I could create a UDP socket in my app, filter packets
> and pass only DTLS packets to the ssl socket/process.
> Without this, DTLS in the ssl app can't be used for WebRTC connections.
> Is this also planned?
>
> On Mon, Oct 8, 2018 at 1:48 PM Andreas Schultz
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi Ingela,
>
>     Ingela Andin <[hidden email]
>     <mailto:[hidden email]>> schrieb am Mo., 8. Okt. 2018 um
>     12:27 Uhr:
>
>         Hi!
>
>         Sorry for late answer. Yes there are plans to include it. It
>         extension is also part of TLS-1.3 that has priority over DTLS at
>         the moment. We have already  done
>
>
>     Can't speak for others, but I would prefer if DTLS-1.3 where give
>     the same priority as TLS-1.3.
>
>     Regards
>     Andreas
>
>         some internal changes to extension handling to facilitate the
>         implementation of TLS-1.3 and its co-existing with previous
>         versions.  This is in first hand planned for OTP-22.
>
>         Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>         Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt
>         <[hidden email] <mailto:[hidden email]>>:
>
>             USE_SRTP is defined in dtls_handshake.hrl [1] but it says
>             it's not supported.
>             Are there plans to support it?
>
>             [1]
>             https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_handshake.hrl#L64
>
>             On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt
>             <[hidden email] <mailto:[hidden email]>> wrote:
>
>                 DTLS is missing the use_srtp extension required for
>                 DTLS-SRTP [1].
>                 What's the best way to add it?
>
>                 We need to encode the extension in ssl_handshake.erl
>                 encode_hello_extensions([use_srtp | Rest], Acc) ->
>                      ExtData = <<0,2,0,1,0>>,
>                      Len = byte_size(ExtData),
>                      encode_hello_extensions(Rest,
>                 <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary,
>                 Acc/binary>>).
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L657
>
>                 Define USE_SRTP_EXT in ssl_handshake.hrl
>                 -define(USE_SRTP_EXT, 14).
>
>                 Add use_srtp to the hello_extensions record:
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.hrl#L100
>
>                 Add use_srtp to hello_extensions_list
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L1826
>
>                 Add use_srtp to client_hello_extensions
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L968
>
>                 Add use_srtp to the #ssl_options record
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_internal.hrl#L111
>
>                 [1] https://tools.ietf.org/html/rfc5764#section-4.1
>
>                 Thanks
>
>             _______________________________________________
>             erlang-questions mailing list
>             [hidden email] <mailto:[hidden email]>
>             http://erlang.org/mailman/listinfo/erlang-questions
>
>         _______________________________________________
>         erlang-questions mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://erlang.org/mailman/listinfo/erlang-questions
>
>     --
>     --
>     Dipl.-Inform. Andreas Schultz
>
>     ----------------------- enabling your networks ----------------------
>     Travelping GmbH                     Phone:  +49-391-81 90 99 0
>     Roentgenstr. 13                     Fax:    <a href="tel:+49%20391%20819099299" value="+49391819099299" target="_blank">+49-391-81 90 99 299
>     39108 Magdeburg                     Email: [hidden email]
>     <mailto:[hidden email]>
>     GERMANY                             Web: http://www.travelping.com
>
>     Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
>     Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
>     ---------------------------------------------------------------------
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Loïc Hoguin-3
In reply to this post by Andreas Schultz-3
On 10/8/18 1:49 PM, Andreas Schultz wrote:

> Loïc Hoguin <[hidden email] <mailto:[hidden email]>> schrieb am
> Mo., 8. Okt. 2018 um 13:39 Uhr:
>
>     This seems to be a similar issue to the one I have about tunneling TLS
>     connections through TLS proxies (particularly the HTTP/2 case),
>     although
>     my proposed solution would probably not work in your case:
>     https://bugs.erlang.org/browse/ERL-728
>
>
> You can already use the cb_info option with a custom transport module to
> build that.

Glad I posted. Thanks for the heads up, I'll experiment.

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Andreas Schultz-3
In reply to this post by Ben Browitt
Ben Browitt <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 13:54 Uhr:
Andreas, any chance for a simple code showing how to handle SRTP/STUN/DTLS with client and server?

No, sorry. I don't even have the time to convert my own code to the new DTLS module, let alone to work on something else.

Andreas

On Mon, Oct 8, 2018 at 2:49 PM Andreas Schultz <[hidden email]> wrote:
Loïc Hoguin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 13:39 Uhr:
This seems to be a similar issue to the one I have about tunneling TLS
connections through TLS proxies (particularly the HTTP/2 case), although
my proposed solution would probably not work in your case:
https://bugs.erlang.org/browse/ERL-728

You can already use the cb_info option with a custom transport module to build that. 

In theory, the STRP and STUN over DTLS use case should be doable with that as well.
Ingela recently fixed a few things in the DTLS module recently [1] to make this work.

I always meant to port my CAPWAP DTLS use case to this, but havn't gotten the
time to actually to it.

Andreas




Perhaps we need some kind of socket-less ssl connection process that we
feed directly and that sends us back whatever encrypted data needs to be
sent.

On 10/8/18 1:08 PM, Ben Browitt wrote:
> What about being able to handle DTLS, STRP and STUN packets on the same
> UDP socket?
> It will be best if I could create a UDP socket in my app, filter packets
> and pass only DTLS packets to the ssl socket/process.
> Without this, DTLS in the ssl app can't be used for WebRTC connections.
> Is this also planned?
>
> On Mon, Oct 8, 2018 at 1:48 PM Andreas Schultz
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi Ingela,
>
>     Ingela Andin <[hidden email]
>     <mailto:[hidden email]>> schrieb am Mo., 8. Okt. 2018 um
>     12:27 Uhr:
>
>         Hi!
>
>         Sorry for late answer. Yes there are plans to include it. It
>         extension is also part of TLS-1.3 that has priority over DTLS at
>         the moment. We have already  done
>
>
>     Can't speak for others, but I would prefer if DTLS-1.3 where give
>     the same priority as TLS-1.3.
>
>     Regards
>     Andreas
>
>         some internal changes to extension handling to facilitate the
>         implementation of TLS-1.3 and its co-existing with previous
>         versions.  This is in first hand planned for OTP-22.
>
>         Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>         Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt
>         <[hidden email] <mailto:[hidden email]>>:
>
>             USE_SRTP is defined in dtls_handshake.hrl [1] but it says
>             it's not supported.
>             Are there plans to support it?
>
>             [1]
>             https://github.com/erlang/otp/blob/master/lib/ssl/src/dtls_handshake.hrl#L64
>
>             On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt
>             <[hidden email] <mailto:[hidden email]>> wrote:
>
>                 DTLS is missing the use_srtp extension required for
>                 DTLS-SRTP [1].
>                 What's the best way to add it?
>
>                 We need to encode the extension in ssl_handshake.erl
>                 encode_hello_extensions([use_srtp | Rest], Acc) ->
>                      ExtData = <<0,2,0,1,0>>,
>                      Len = byte_size(ExtData),
>                      encode_hello_extensions(Rest,
>                 <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary,
>                 Acc/binary>>).
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L657
>
>                 Define USE_SRTP_EXT in ssl_handshake.hrl
>                 -define(USE_SRTP_EXT, 14).
>
>                 Add use_srtp to the hello_extensions record:
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.hrl#L100
>
>                 Add use_srtp to hello_extensions_list
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L1826
>
>                 Add use_srtp to client_hello_extensions
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L968
>
>                 Add use_srtp to the #ssl_options record
>                 https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_internal.hrl#L111
>
>                 [1] https://tools.ietf.org/html/rfc5764#section-4.1
>
>                 Thanks
>
>             _______________________________________________
>             erlang-questions mailing list
>             [hidden email] <mailto:[hidden email]>
>             http://erlang.org/mailman/listinfo/erlang-questions
>
>         _______________________________________________
>         erlang-questions mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://erlang.org/mailman/listinfo/erlang-questions
>
>     --
>     --
>     Dipl.-Inform. Andreas Schultz
>
>     ----------------------- enabling your networks ----------------------
>     Travelping GmbH                     Phone:  +49-391-81 90 99 0
>     Roentgenstr. 13                     Fax:    <a href="tel:+49%20391%20819099299" value="+49391819099299" target="_blank">+49-391-81 90 99 299
>     39108 Magdeburg                     Email: [hidden email]
>     <mailto:[hidden email]>
>     GERMANY                             Web: http://www.travelping.com
>
>     Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
>     Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
>     ---------------------------------------------------------------------
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    <a href="tel:+49%20391%20819099299" value="+49391819099299" target="_blank">+49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ingela Andin
In reply to this post by Andreas Schultz-3
Hi!

Den mån 8 okt. 2018 kl 12:48 skrev Andreas Schultz <[hidden email]>:
Hi Ingela,

Ingela Andin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 12:27 Uhr:
Hi!

Sorry for late answer. Yes there are plans to include it. It extension is also part of TLS-1.3 that has priority over DTLS at the moment. We have already  done

Can't speak for others, but I would prefer if DTLS-1.3 where give the same priority as TLS-1.3.


Well as DTLS is described as a diff against TLS we kind of need the original first.

Regards Ingela Erlang/OTP team - Ericsson AB


 
Regards
Andreas

some internal changes to extension handling to facilitate the implementation of TLS-1.3 and its co-existing with previous versions.  This is in first hand planned for OTP-22. 

Regards Ingela Erlang/OTP Team - Ericsson AB


Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt <[hidden email]>:
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: use_srtp extension for DTLS

Ben Browitt
I'm trying to do something similar to what suggested in this thread [1].
The suggested API from Andreas was:
%% Create a new passive SSL connection of given type, return a opaque identifier.
ssl:create_connection(Protocol :: 'stream' | 'datagram', Opts) -> ssl_connection_id().

%% Pass received SSL traffic into the connection,
%% Return error, ok or Data to return on the connection.
ssl:recv(Connection :: ssl_connection_id(), EncData :: binary()) ->
   {error, Error} | ok | {ok, {send, Data :: binary()}}.

%% Pass unencrypted traffic into the SSL app
ssl: send(Connection :: ssl_connection_id(), PlainText :: binary()) ->
  {error, Error} | ok | {ok, {send, EncData :: binary()}}.

%% The owner of the connection is then getting messages like:
%% - send encrypted data:
%%     {ssl, Connection :: connection_id(), {send, EncData :: binary()}}
%% - got plaintext data:
%%     {ssl, Connection :: connection_id(), {recv, PlainText :: binary()}}
%% - connection event:
%%     {ssl, Connection :: connection_id(), Event :: ssl_connection_event()}

Is there a plan to support a this API?
If not, how can I use cb_info option with a custom transport module to be able to handle DTLS with other protocols on the same socket?


On Mon, Oct 8, 2018 at 7:04 PM Ingela Andin <[hidden email]> wrote:
Hi!

Den mån 8 okt. 2018 kl 12:48 skrev Andreas Schultz <[hidden email]>:
Hi Ingela,

Ingela Andin <[hidden email]> schrieb am Mo., 8. Okt. 2018 um 12:27 Uhr:
Hi!

Sorry for late answer. Yes there are plans to include it. It extension is also part of TLS-1.3 that has priority over DTLS at the moment. We have already  done

Can't speak for others, but I would prefer if DTLS-1.3 where give the same priority as TLS-1.3.


Well as DTLS is described as a diff against TLS we kind of need the original first.

Regards Ingela Erlang/OTP team - Ericsson AB


 
Regards
Andreas

some internal changes to extension handling to facilitate the implementation of TLS-1.3 and its co-existing with previous versions.  This is in first hand planned for OTP-22. 

Regards Ingela Erlang/OTP Team - Ericsson AB


Den mån 8 okt. 2018 kl 06:58 skrev Ben Browitt <[hidden email]>:
USE_SRTP is defined in dtls_handshake.hrl [1] but it says it's not supported.
Are there plans to support it?


On Mon, Oct 1, 2018 at 11:27 AM Ben Browitt <[hidden email]> wrote:
DTLS is missing the use_srtp extension required for DTLS-SRTP [1].
What's the best way to add it?

We need to encode the extension in ssl_handshake.erl
encode_hello_extensions([use_srtp | Rest], Acc) ->
    ExtData = <<0,2,0,1,0>>,
    Len = byte_size(ExtData),
    encode_hello_extensions(Rest, <<?UINT16(?USE_SRTP_EXT), ?UINT16(Len), ExtData/binary, Acc/binary>>).

Define USE_SRTP_EXT in ssl_handshake.hrl
-define(USE_SRTP_EXT, 14).

Add use_srtp to the hello_extensions record:

Add use_srtp to hello_extensions_list

Add use_srtp to client_hello_extensions

Add use_srtp to the #ssl_options record


Thanks
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions