WebRTC uses DTLS in two ways:
- to negotiate keys for SRTP encryption using DTLS-SRTP
- as a transport for SCTP which is used by the Datachannel API
The W3C WebRTC API represents this as the DtlsTransport.
The DTLS handshake happens after the ICE transport becomes writable and has
found a valid pair. It results in a set of keys being derived for DTLS-SRTP as
well as a fingerprint of the remote certificate which is compared to the one
given in the SDP a=fingerprint: line.
This documentation provides an overview of how DTLS is implemented, i.e how the following classes interact.
The webrtc::DtlsTransport class is a wrapper around the
cricket::DtlsTransportInternal and allows registering observers implementing
the webrtc::DtlsTransportObserverInterface. The
webrtc::DtlsTransportObserverInterface will provide updates to the
observers, passing around a snapshot of the transports state such as the
connection state, the remote certificate(s) and the SRTP ciphers as
DtlsTransportInformation.
The cricket::DtlsTransportInternal class is an interface. Its
implementation is cricket::DtlsTransport. The cricket::DtlsTransport
sends and receives network packets via an ICE transport. It also demultiplexes
DTLS packets and SRTP packets according to the scheme described in
RFC 5764.
The webrtc::DtlsSrtpTransport class is responsіble for extracting the
SRTP keys after the DTLS handshake as well as protection and unprotection of
SRTP packets via its cricket::SrtpSession.