DTLS (state of) in 1.59 vs 1.55/6

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DTLS (state of) in 1.59 vs 1.55/6

Mondain
I recently switched to BC 1.59 in my project which supports server-side WebRTC, in short, it broke. Previously we used BC 1.55 and 1.56 to great success. So before I go down the road of implemented whatever is required to make BC 1.59 work, I'd like to know if anyone has comments or concerns about DTLS support in 1.59, is it feature-complete? are there known issues? Obviously I'll review the unit tests to see how its configured (assuming they're good-to-go), but any feedback would be great.

Best Regards,
Paul Gregoire
Reply | Threaded
Open this post in threaded view
|

Re: DTLS (state of) in 1.59 vs 1.55/6

Tim Panton new
I’ve just made the same switch - and got bitten by the fact that in 1.59 you can only call TlsContext.exportKeyingMaterial()
when _inside_ notifyHandshakeComplete() calling it anytime later results in a null pointer.

So there are some internal differences, but it seems to be working ok now I’ve nailed that down.

T.


> On 26 Mar 2018, at 16:50, Mondain <[hidden email]> wrote:
>
> I recently switched to BC 1.59 in my project which supports server-side WebRTC, in short, it broke. Previously we used BC 1.55 and 1.56 to great success. So before I go down the road of implemented whatever is required to make BC 1.59 work, I'd like to know if anyone has comments or concerns about DTLS support in 1.59, is it feature-complete? are there known issues? Obviously I'll review the unit tests to see how its configured (assuming they're good-to-go), but any feedback would be great.
>
> Best Regards,
> Paul Gregoire


Reply | Threaded
Open this post in threaded view
|

Re: DTLS (state of) in 1.59 vs 1.55/6

Peter Dettman-3
In reply to this post by Mondain
Hi Mondain,

There's no reason in principle that it shouldn't be a simple upgrade.
1.59 is a direct evolution from 1.56, with a few extra TLS features
added, and some tighter checks here and there.

If you are additionally migrating from the legacy
org.bouncycastle.crypto.tls package to org.bouncycastle.tls package
implementation there could be minor teething issues related to API
changes (there aren't many).

Regards,
Pete Dettman

On 26/3/18 10:50 pm, Mondain wrote:

> I recently switched to BC 1.59 in my project which supports server-side
> WebRTC, in short, it broke. Previously we used BC 1.55 and 1.56 to great
> success. So before I go down the road of implemented whatever is
> required to make BC 1.59 work, I'd like to know if anyone has comments
> or concerns about DTLS support in 1.59, is it feature-complete? are
> there known issues? Obviously I'll review the unit tests to see how its
> configured (assuming they're good-to-go), but any feedback would be great.
>
> Best Regards,
> Paul Gregoire


Reply | Threaded
Open this post in threaded view
|

Re: DTLS (state of) in 1.59 vs 1.55/6

Peter Dettman-3
Migration is advised, since _crypto.tls will be removed in due course.
Security-related fixes would still be backported there, but most new TLS
work is not.

On 29/3/18 9:43 pm, Mondain wrote:
> Peter, do you know if migration from org.bouncycastle.crypto.tls to
> org.bouncycastle.tls expected when moving beyond 1.55? 

Regards,
Pete Dettman