Generate random Serial Number in DTLS cert #44
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should fix elixir-webrtc/ex_webrtc#127
Firefox requires two different peer connections to have unique (CN, SN) DTLS cert tuples OR if they are not unique, the whole cert has to be exactly the same. See here for more.
As a result, we cannot e.g. open multiple tabs in Reco or Broadcaster demo applications - only the first one will successfully establish a connection.
So far, we have been using the same CN and SN (because we are generating self-signed cert) but some implementations generate a random SN. See Mediasoup or Janus
We have two options:
The first option does not solve the problem when we want to run multiple ExWebRTC services simultanously - we would have to configure those services with the same DTLS key/cert pair which is inconvenient and insecure. Even using the same cert for two different PC in the same service isn't the best practice. Cert option in PC config was introduced because of slower devices where generating DTLS cert might take some time. In such case, DTLS cert can be generated upfront and used when needed.