source-git / openssl

Clone
Source Code
GIT

Blame doc/man3/SSL_CTX_set_tlsext_use_srtp.pod

c8 c8s master
  1.   084de10d432504dc42ed73004e45f97f66d6fd45
  2.   doc
  3.   man3
  4.   SSL_CTX_set_tlsext_use_srtp.pod
Blob History Raw
Packit Service 084de1 
=pod
Packit Service 084de1
Packit Service 084de1 
=head1 NAME
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_set_tlsext_use_srtp,
Packit Service 084de1 
SSL_set_tlsext_use_srtp,
Packit Service 084de1 
SSL_get_srtp_profiles,
Packit Service 084de1 
SSL_get_selected_srtp_profile
Packit Service 084de1 
- Configure and query SRTP support
Packit Service 084de1
Packit Service 084de1 
=head1 SYNOPSIS
Packit Service 084de1
Packit Service 084de1 
 #include <openssl/srtp.h>
Packit Service 084de1
Packit Service 084de1 
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
Packit Service 084de1 
 int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);
Packit Service 084de1
Packit Service 084de1 
 STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
Packit Service 084de1 
 SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
Packit Service 084de1
Packit Service 084de1 
=head1 DESCRIPTION
Packit Service 084de1
Packit Service 084de1 
SRTP is the Secure Real-Time Transport Protocol. OpenSSL implements support for
Packit Service 084de1 
the "use_srtp" DTLS extension defined in RFC5764. This provides a mechanism for
Packit Service 084de1 
establishing SRTP keying material, algorithms and parameters using DTLS. This
Packit Service 084de1 
capability may be used as part of an implementation that conforms to RFC5763.
Packit Service 084de1 
OpenSSL does not implement SRTP itself or RFC5763. Note that OpenSSL does not
Packit Service 084de1 
support the use of SRTP Master Key Identifiers (MKIs). Also note that this
Packit Service 084de1 
extension is only supported in DTLS. Any SRTP configuration will be ignored if a
Packit Service 084de1 
TLS connection is attempted.
Packit Service 084de1
Packit Service 084de1 
An OpenSSL client wishing to send the "use_srtp" extension should call
Packit Service 084de1 
SSL_CTX_set_tlsext_use_srtp() to set its use for all SSL objects subsequently
Packit Service 084de1 
created from an SSL_CTX. Alternatively a client may call
Packit Service 084de1 
SSL_set_tlsext_use_srtp() to set its use for an individual SSL object. The
Packit Service 084de1 
B<profiles> parameters should point to a NUL-terminated, colon delimited list of
Packit Service 084de1 
SRTP protection profile names.
Packit Service 084de1
Packit Service 084de1 
The currently supported protection profile names are:
Packit Service 084de1
Packit Service 084de1 
=over 4
Packit Service 084de1
Packit Service 084de1 
=item SRTP_AES128_CM_SHA1_80
Packit Service 084de1
Packit Service 084de1 
This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC5764.
Packit Service 084de1
Packit Service 084de1 
=item SRTP_AES128_CM_SHA1_32
Packit Service 084de1
Packit Service 084de1 
This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC5764.
Packit Service 084de1
Packit Service 084de1 
=item SRTP_AEAD_AES_128_GCM
Packit Service 084de1
Packit Service 084de1 
This corresponds to the profile of the same name defined in RFC7714.
Packit Service 084de1
Packit Service 084de1 
=item SRTP_AEAD_AES_256_GCM
Packit Service 084de1
Packit Service 084de1 
This corresponds to the profile of the same name defined in RFC7714.
Packit Service 084de1
Packit Service 084de1 
=back
Packit Service 084de1
Packit Service 084de1 
Supplying an unrecognised protection profile name will result in an error.
Packit Service 084de1
Packit Service 084de1 
An OpenSSL server wishing to support the "use_srtp" extension should also call
Packit Service 084de1 
SSL_CTX_set_tlsext_use_srtp() or SSL_set_tlsext_use_srtp() to indicate the
Packit Service 084de1 
protection profiles that it is willing to negotiate.
Packit Service 084de1
Packit Service 084de1 
The currently configured list of protection profiles for either a client or a
Packit Service 084de1 
server can be obtained by calling SSL_get_srtp_profiles(). This returns a stack
Packit Service 084de1 
of SRTP_PROTECTION_PROFILE objects. The memory pointed to in the return value of
Packit Service 084de1 
this function should not be freed by the caller.
Packit Service 084de1
Packit Service 084de1 
After a handshake has been completed the negotiated SRTP protection profile (if
Packit Service 084de1 
any) can be obtained (on the client or the server) by calling
Packit Service 084de1 
SSL_get_selected_srtp_profile(). This function will return NULL if no SRTP
Packit Service 084de1 
protection profile was negotiated. The memory returned from this function should
Packit Service 084de1 
not be freed by the caller.
Packit Service 084de1
Packit Service 084de1 
If an SRTP protection profile has been successfully negotiated then the SRTP
Packit Service 084de1 
keying material (on both the client and server) should be obtained via a call to
Packit Service 084de1 
L<SSL_export_keying_material(3)>. This call should provide a label value of
Packit Service 084de1 
"EXTRACTOR-dtls_srtp" and a NULL context value (use_context is 0). The total
Packit Service 084de1 
length of keying material obtained should be equal to two times the sum of the
Packit Service 084de1 
master key length and the salt length as defined for the protection profile in
Packit Service 084de1 
use. This provides the client write master key, the server write master key, the
Packit Service 084de1 
client write master salt and the server write master salt in that order.
Packit Service 084de1
Packit Service 084de1 
=head1 RETURN VALUES
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_set_tlsext_use_srtp() and SSL_set_tlsext_use_srtp() return 0 on success
Packit Service 084de1 
or 1 on error.
Packit Service 084de1
Packit Service 084de1 
SSL_get_srtp_profiles() returns a stack of SRTP_PROTECTION_PROFILE objects on
Packit Service 084de1 
success or NULL on error or if no protection profiles have been configured.
Packit Service 084de1
Packit Service 084de1 
SSL_get_selected_srtp_profile() returns a pointer to an SRTP_PROTECTION_PROFILE
Packit Service 084de1 
object if one has been negotiated or NULL otherwise.
Packit Service 084de1
Packit Service 084de1 
=head1 SEE ALSO
Packit Service 084de1
Packit Service 084de1 
L<SSL_export_keying_material(3)>
Packit Service 084de1
Packit Service 084de1 
=head1 COPYRIGHT
Packit Service 084de1
Packit Service 084de1 
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Packit Service 084de1
Packit Service 084de1 
Licensed under the OpenSSL license (the "License").  You may not use
Packit Service 084de1 
this file except in compliance with the License.  You can obtain a copy
Packit Service 084de1 
in the file LICENSE in the source distribution or at
Packit Service 084de1 
L<https://www.openssl.org/source/license.html>.
Packit Service 084de1
Packit Service 084de1 
=cut

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation