Make DTLS client certs configurable#985
Conversation
|
@jshanson7 in what situation would you want this? Does libwebrtc allow you |
@algesten hi! so with ice-lite and DTLS 1.3, dimpl sends a afaict the browser WebRTC API only lets you provide local so this is basically an opt-out, with the default left unchanged. happy to update this if you think there's a better approach. |
|
@xnorpx DTLS 1.3 does that change anything? @jshanson7 i never heard of a WebRTC situation where you don't validate the remote certificate. In standard SDP you send the fingerprint (hash) of the certificate and then during DTLS handshake you request remote cert and compare the fingerprint. This is the basis for security since regular WebRTC uses self-signed certs. Turning off remote cert is like saying "i don't care who you are" and it would be a very odd thing to do in regular WebRTC. DTLS 1.2 or 1.3 shouldn't make |
|
makes sense. i think there must be a bug in either chrome or dimpl causing the dtls 1.3 handshake to fail. will see if i can track that down instead. |
|
@algesten figured it out: algesten/dimpl#153 |
Make client certificate requests configurable for dimpl-backed DTLS.
Default stays true. This lets callers disable
CertificateRequestwhen talking to Chrome/WebRTC over DTLS 1.3.