-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: dtls connection using mbedtls #10
Conversation
Could you also create issues for the TODOs described in https://github.com/status-im/nim-mbedtls? It seems to me they need to be worked on before we say this work has been completed. |
What DTLS version is https://github.com/status-im/nim-mbedtls using? |
webrtc/dtls/dtls_connection.nim
Outdated
# Mbed-TLS contexts | ||
ctx: MbedTLSCtx | ||
|
||
proc verify(ctx: pointer, pcert: ptr mbedtls_x509_crt, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the implementation, I find it unclear how it verifies the certificate's validity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hum... it's because the name verify
is wrong. We use this callback because we need to retrieve the remote certificate from the peer (for the DataChannel). It's the solution I found to retrieve it, after this callback, the certificate is not stored.
I change the name to make it clearer!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
webrtc/dtls/dtls_connection.nim
Outdated
of AddressFamily.IPv6: | ||
mb_ssl_set_client_transport_id(self.ctx.ssl, self.raddr.address_v6) | ||
else: | ||
doAssert(false, "Should never happen") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doAssert(false, "Should never happen") | |
raiseAssert("Remote address must be IPv4 or IPv6") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, great job.
Presentation
This PR is part of the stack to create the nim-libp2p webrtc-direct transport (defined here: https://github.com/libp2p/specs/blob/master/webrtc/webrtc-direct.md).
For this PR, we do not implement the full DTLS protocol, we are using the library MBed-TLS (nim wrapper: https://github.com/status-im/nim-mbedtls / C-library https://github.com/Mbed-TLS/mbedtls) to create and use a DTLS connection.
DTLS
DTLS is a protocol designed to provide the same security features as TLS, but for UDP applications. It secures communications over UDP, which is inherently unreliable and connectionless. By using DTLS, WebRTC ensures that all data streams are encrypted and secure from potential eavesdropping, tampering, and other security threats.