143 lines
6.3 KiB
HTML
Executable File
143 lines
6.3 KiB
HTML
Executable File
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>SSL_CTX_set_tlsext_use_srtp</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<li><a href="#return_values">RETURN VALUES</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>SSL_CTX_set_tlsext_use_srtp,
|
|
SSL_set_tlsext_use_srtp,
|
|
SSL_get_srtp_profiles,
|
|
SSL_get_selected_srtp_profile
|
|
- Configure and query SRTP support</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<pre>
|
|
#include <openssl/srtp.h></pre>
|
|
<pre>
|
|
int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
|
|
int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);</pre>
|
|
<pre>
|
|
STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
|
|
SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);</pre>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>SRTP is the Secure Real-Time Transport Protocol. OpenSSL implements support for
|
|
the "use_srtp" DTLS extension defined in <a href="http://www.ietf.org/rfc/rfc5764.txt" class="rfc">RFC5764</a>. This provides a mechanism for
|
|
establishing SRTP keying material, algorithms and parameters using DTLS. This
|
|
capability may be used as part of an implementation that conforms to <a href="http://www.ietf.org/rfc/rfc5763.txt" class="rfc">RFC5763</a>.
|
|
OpenSSL does not implement SRTP itself or <a href="http://www.ietf.org/rfc/rfc5763.txt" class="rfc">RFC5763</a>. Note that OpenSSL does not
|
|
support the use of SRTP Master Key Identifiers (MKIs). Also note that this
|
|
extension is only supported in DTLS. Any SRTP configuration will be ignored if a
|
|
TLS connection is attempted.</p>
|
|
<p>An OpenSSL client wishing to send the "use_srtp" extension should call
|
|
<code>SSL_CTX_set_tlsext_use_srtp()</code> to set its use for all SSL objects subsequently
|
|
created from an SSL_CTX. Alternatively a client may call
|
|
<code>SSL_set_tlsext_use_srtp()</code> to set its use for an individual SSL object. The
|
|
<strong>profiles</strong> parameters should point to a NUL-terminated, colon delimited list of
|
|
SRTP protection profile names.</p>
|
|
<p>The currently supported protection profile names are:</p>
|
|
<dl>
|
|
<dt><strong><a name="srtp_aes128_cm_sha1_80" class="item">SRTP_AES128_CM_SHA1_80</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in <a href="http://www.ietf.org/rfc/rfc5764.txt" class="rfc">RFC5764</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="srtp_aes128_cm_sha1_32" class="item">SRTP_AES128_CM_SHA1_32</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in <a href="http://www.ietf.org/rfc/rfc5764.txt" class="rfc">RFC5764</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="srtp_aead_aes_128_gcm" class="item">SRTP_AEAD_AES_128_GCM</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This corresponds to the profile of the same name defined in <a href="http://www.ietf.org/rfc/rfc7714.txt" class="rfc">RFC7714</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="srtp_aead_aes_256_gcm" class="item">SRTP_AEAD_AES_256_GCM</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This corresponds to the profile of the same name defined in <a href="http://www.ietf.org/rfc/rfc7714.txt" class="rfc">RFC7714</a>.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>Supplying an unrecognised protection profile name will result in an error.</p>
|
|
<p>An OpenSSL server wishing to support the "use_srtp" extension should also call
|
|
<code>SSL_CTX_set_tlsext_use_srtp()</code> or <code>SSL_set_tlsext_use_srtp()</code> to indicate the
|
|
protection profiles that it is willing to negotiate.</p>
|
|
<p>The currently configured list of protection profiles for either a client or a
|
|
server can be obtained by calling <code>SSL_get_srtp_profiles()</code>. This returns a stack
|
|
of SRTP_PROTECTION_PROFILE objects. The memory pointed to in the return value of
|
|
this function should not be freed by the caller.</p>
|
|
<p>After a handshake has been completed the negotiated SRTP protection profile (if
|
|
any) can be obtained (on the client or the server) by calling
|
|
<code>SSL_get_selected_srtp_profile()</code>. This function will return NULL if no SRTP
|
|
protection profile was negotiated. The memory returned from this function should
|
|
not be freed by the caller.</p>
|
|
<p>If an SRTP protection profile has been successfully negotiated then the SRTP
|
|
keying material (on both the client and server) should be obtained via a call to
|
|
<em>SSL_export_keying_material(3)</em>. This call should provide a label value of
|
|
"EXTRACTOR-dtls_srtp" and a NULL context value (use_context is 0). The total
|
|
length of keying material obtained should be equal to two times the sum of the
|
|
master key length and the salt length as defined for the protection profile in
|
|
use. This provides the client write master key, the server write master key, the
|
|
client write master salt and the server write master salt in that order.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="return_values">RETURN VALUES</a></h1>
|
|
<p><code>SSL_CTX_set_tlsext_use_srtp()</code> and <code>SSL_set_tlsext_use_srtp()</code> return 0 on success
|
|
or 1 on error.</p>
|
|
<p><code>SSL_get_srtp_profiles()</code> returns a stack of SRTP_PROTECTION_PROFILE objects on
|
|
success or NULL on error or if no protection profiles have been configured.</p>
|
|
<p><code>SSL_get_selected_srtp_profile()</code> returns a pointer to an SRTP_PROTECTION_PROFILE
|
|
object if one has been negotiated or NULL otherwise.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><em>ssl(7)</em>,
|
|
<em>SSL_export_keying_material(3)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|