Adding support for cipher suite selection in websockets transport #2135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge to master
changes and additions to mutex unlocking in textroom and videoroom plugins to improve stability
adding support for existing screenshareFrameRate property as well as new screenshareHeight and screenshareWidth properties in getDisplayMedia
removing default Janus screenshare frame rate and allowing browser to determine default code style updates
lminiero
reviewed
May 5, 2020
| certificates: { | ||
| #cert_pem = "/path/to/cert.pem" | ||
| #cert_key = "/path/to/key.pem" | ||
| #cert_pwd = "secretpassphrase" | ||
| #ciphers = "DEFAULT" |
There was a problem hiding this comment.
I'd probably set a reasonable default here, like the one we have in the HTTP config file; something that gives people an idea of what the syntax looks like. The example you made in the description may be too long for that, but something along those lines maybe.
There was a problem hiding this comment.
I've updated the example cipher string to the two ECDHE ciphers that are supported universally across all modern browsers, and I've linked out to the OWASP page with additional details on cipher strings and browser compatibility.
|
Thanks, merging! 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is modeled after the commits from #1219 and adds cipher suite selection for the websockets transport by setting 'ssl_cipher_list' on the 'lws_context_creation_info' struct to a 'ciphers' value in the websocket transport config. If this value isn't configured, a null is passed in and there is no behavior change. We've tested it with the cipher suites recommended by OWASP for secure protocols and everything is working as expected.
Example config:
ciphers = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256";