Skip to content

Make DTLS client certs configurable#985

Closed
jshanson7 wants to merge 1 commit into
algesten:mainfrom
jshanson7:codex/disable-dtls-client-cert-request
Closed

Make DTLS client certs configurable#985
jshanson7 wants to merge 1 commit into
algesten:mainfrom
jshanson7:codex/disable-dtls-client-cert-request

Conversation

@jshanson7

@jshanson7 jshanson7 commented Jun 24, 2026

Copy link
Copy Markdown

Make client certificate requests configurable for dimpl-backed DTLS.

Default stays true. This lets callers disable CertificateRequest when talking to Chrome/WebRTC over DTLS 1.3.

@algesten

Copy link
Copy Markdown
Owner

@jshanson7 in what situation would you want this?

Does libwebrtc allow you
to configure this?

@jshanson7

Copy link
Copy Markdown
Author

@jshanson7 in what situation would you want this?

Does libwebrtc allow you
to configure this?

@algesten hi! so with ice-lite and DTLS 1.3, dimpl sends a CertificateRequest and then chrome immediately aborts the handshake.

afaict the browser WebRTC API only lets you provide local RTCCertificates, not configure client auth. chrome doesn't seem to expose lower level libwebrtc options via RTCPeerConnection.

so this is basically an opt-out, with the default left unchanged.

happy to update this if you think there's a better approach.

@algesten

algesten commented Jun 24, 2026

Copy link
Copy Markdown
Owner

@xnorpx DTLS 1.3 does that change anything?

@jshanson7 i never heard of a WebRTC situation where you don't validate the remote certificate.

In standard SDP you send the fingerprint (hash) of the certificate and then during DTLS handshake you request remote cert and compare the fingerprint.

This is the basis for security since regular WebRTC uses self-signed certs.

Turning off remote cert is like saying "i don't care who you are" and it would be a very odd thing to do in regular WebRTC.

DTLS 1.2 or 1.3 shouldn't make
a difference. Nor should ice lite.

@jshanson7

Copy link
Copy Markdown
Author

makes sense. i think there must be a bug in either chrome or dimpl causing the dtls 1.3 handshake to fail. will see if i can track that down instead.

@jshanson7 jshanson7 closed this Jun 24, 2026
@jshanson7 jshanson7 deleted the codex/disable-dtls-client-cert-request branch June 24, 2026 16:57
@jshanson7

Copy link
Copy Markdown
Author

@algesten figured it out: algesten/dimpl#153

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants