Revert "Add SSLConfig object to IceServer."
This reverts commit 4f085434b912060874d6697f17aaedd2adae7c49.
Reason for revert: breaks downstream projects.
Original change's description:
> Add SSLConfig object to IceServer.
>
> This is a rollforward of https://webrtc-review.googlesource.com/c/src/+/96020,
> with the addition of setting the old tlsCertPolicy, tlsAlpnProtocols and
> tlsEllipticCurves in the RTCIceServer initializer, for backwards compatibility.
>
> Bug: webrtc:9662
> Change-Id: I28706ed4ff5abe3f7f913f105779f0e5412aeac5
> Reviewed-on: https://webrtc-review.googlesource.com/98762
> Commit-Queue: Diogo Real <diogor@google.com>
> Reviewed-by: Sami Kalliomäki <sakal@webrtc.org>
> Reviewed-by: Kári Helgason <kthelgason@webrtc.org>
> Reviewed-by: Steve Anton <steveanton@webrtc.org>
> Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#24696}
TBR=steveanton@webrtc.org,sakal@webrtc.org,kwiberg@webrtc.org,kthelgason@webrtc.org,qingsi@webrtc.org,benwright@webrtc.org,diogor@google.com
Change-Id: I1cb64b63fec688b4ac90c2fa368eaf0bc11046af
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: webrtc:9662
Reviewed-on: https://webrtc-review.googlesource.com/99880
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Sergey Silkin <ssilkin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#24701}diff --git a/api/peerconnectioninterface.h b/api/peerconnectioninterface.h
index c6e5a25..1c32b69 100644
--- a/api/peerconnectioninterface.h
+++ b/api/peerconnectioninterface.h
@@ -112,7 +112,6 @@
#include "rtc_base/rtccertificate.h"
#include "rtc_base/rtccertificategenerator.h"
#include "rtc_base/socketaddress.h"
-#include "rtc_base/ssladapter.h"
#include "rtc_base/sslcertificate.h"
#include "rtc_base/sslstreamadapter.h"
@@ -188,7 +187,6 @@
kIceConnectionMax,
};
- // Deprecated. TODO(diogor, webrtc:9673): Remove from API.
// TLS certificate policy.
enum TlsCertPolicy {
// For TLS based protocols, ensure the connection is secure by not
@@ -213,29 +211,23 @@
std::vector<std::string> urls;
std::string username;
std::string password;
- // Deprecated. rtc::SSLConfig should be used instead.
TlsCertPolicy tls_cert_policy = kTlsCertPolicySecure;
// If the URIs in |urls| only contain IP addresses, this field can be used
// to indicate the hostname, which may be necessary for TLS (using the SNI
// extension). If |urls| itself contains the hostname, this isn't
// necessary.
std::string hostname;
- // Deprecated. rtc::SSLConfig should be used instead.
// List of protocols to be used in the TLS ALPN extension.
std::vector<std::string> tls_alpn_protocols;
- // Deprecated. rtc::SSLConfig should be used instead.
// List of elliptic curves to be used in the TLS elliptic curves extension.
std::vector<std::string> tls_elliptic_curves;
- // SSL configuration options for any SSL/TLS connections to this IceServer.
- rtc::SSLConfig ssl_config;
bool operator==(const IceServer& o) const {
return uri == o.uri && urls == o.urls && username == o.username &&
password == o.password && tls_cert_policy == o.tls_cert_policy &&
hostname == o.hostname &&
tls_alpn_protocols == o.tls_alpn_protocols &&
- tls_elliptic_curves == o.tls_elliptic_curves &&
- ssl_config == o.ssl_config;
+ tls_elliptic_curves == o.tls_elliptic_curves;
}
bool operator!=(const IceServer& o) const { return !(*this == o); }
};
diff --git a/p2p/base/basicpacketsocketfactory.cc b/p2p/base/basicpacketsocketfactory.cc
index c80a408..b7eb8ed 100644
--- a/p2p/base/basicpacketsocketfactory.cc
+++ b/p2p/base/basicpacketsocketfactory.cc
@@ -157,7 +157,12 @@
return NULL;
}
- ssl_adapter->SetSSLConfig(tcp_options.ssl_config);
+ if (tlsOpts & PacketSocketFactory::OPT_TLS_INSECURE) {
+ ssl_adapter->SetIgnoreBadCert(true);
+ }
+
+ ssl_adapter->SetAlpnProtocols(tcp_options.tls_alpn_protocols);
+ ssl_adapter->SetEllipticCurves(tcp_options.tls_elliptic_curves);
ssl_adapter->SetCertVerifier(tcp_options.tls_cert_verifier);
socket = ssl_adapter;
diff --git a/p2p/base/packetsocketfactory.h b/p2p/base/packetsocketfactory.h
index bbde113..4667bb1 100644
--- a/p2p/base/packetsocketfactory.h
+++ b/p2p/base/packetsocketfactory.h
@@ -14,10 +14,8 @@
#include <string>
#include <vector>
-#include "absl/types/optional.h"
#include "rtc_base/constructormagic.h"
#include "rtc_base/proxyinfo.h"
-#include "rtc_base/ssladapter.h"
#include "rtc_base/sslcertificate.h"
namespace rtc {
@@ -28,12 +26,11 @@
~PacketSocketTcpOptions();
int opts = 0;
+ std::vector<std::string> tls_alpn_protocols;
+ std::vector<std::string> tls_elliptic_curves;
// An optional custom SSL certificate verifier that an API user can provide to
// inject their own certificate verification logic.
SSLCertificateVerifier* tls_cert_verifier = nullptr;
-
- // SSL configuration options.
- rtc::SSLConfig ssl_config;
};
class AsyncPacketSocket;
diff --git a/p2p/base/port_unittest.cc b/p2p/base/port_unittest.cc
index b2fe9d0..5aaf315 100644
--- a/p2p/base/port_unittest.cc
+++ b/p2p/base/port_unittest.cc
@@ -537,7 +537,8 @@
return TurnPort::Create(
&main_, socket_factory, MakeNetwork(addr), 0, 0, username_, password_,
ProtocolAddress(server_addr, int_proto), kRelayCredentials, 0,
- std::string(), nullptr, rtc::SSLConfig(), nullptr);
+ std::string(), std::vector<std::string>(), std::vector<std::string>(),
+ nullptr, nullptr);
}
RelayPort* CreateGturnPort(const SocketAddress& addr,
ProtocolType int_proto,
diff --git a/p2p/base/portallocator.h b/p2p/base/portallocator.h
index 356b1f1..8bd7096 100644
--- a/p2p/base/portallocator.h
+++ b/p2p/base/portallocator.h
@@ -20,7 +20,6 @@
#include "p2p/base/portinterface.h"
#include "rtc_base/helpers.h"
#include "rtc_base/proxyinfo.h"
-#include "rtc_base/ssladapter.h"
#include "rtc_base/sslcertificate.h"
#include "rtc_base/third_party/sigslot/sigslot.h"
#include "rtc_base/thread.h"
@@ -119,6 +118,17 @@
CF_ALL = 0x7,
};
+// TLS certificate policy.
+enum class TlsCertPolicy {
+ // For TLS based protocols, ensure the connection is secure by not
+ // circumventing certificate validation.
+ TLS_CERT_POLICY_SECURE,
+ // For TLS based protocols, disregard security completely by skipping
+ // certificate validation. This is insecure and should never be used unless
+ // security is irrelevant in that particular context.
+ TLS_CERT_POLICY_INSECURE_NO_CHECK,
+};
+
// TODO(deadbeef): Rename to TurnCredentials (and username to ufrag).
struct RelayCredentials {
RelayCredentials() {}
@@ -134,17 +144,6 @@
std::string password;
};
-// TLS certificate policy.
-enum class TlsCertPolicy {
- // For TLS based protocols, ensure the connection is secure by not
- // circumventing certificate validation.
- TLS_CERT_POLICY_SECURE,
- // For TLS based protocols, disregard security completely by skipping
- // certificate validation. This is insecure and should never be used unless
- // security is irrelevant in that particular context.
- TLS_CERT_POLICY_INSECURE_NO_CHECK,
-};
-
typedef std::vector<ProtocolAddress> PortList;
// TODO(deadbeef): Rename to TurnServerConfig.
struct RelayServerConfig {
@@ -181,7 +180,6 @@
TlsCertPolicy tls_cert_policy = TlsCertPolicy::TLS_CERT_POLICY_SECURE;
std::vector<std::string> tls_alpn_protocols;
std::vector<std::string> tls_elliptic_curves;
- rtc::SSLConfig ssl_config;
rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr;
};
diff --git a/p2p/base/testturnserver.h b/p2p/base/testturnserver.h
index 61a2e10..734ca4d 100644
--- a/p2p/base/testturnserver.h
+++ b/p2p/base/testturnserver.h
@@ -110,12 +110,7 @@
adapter->SetRole(rtc::SSL_SERVER);
adapter->SetIdentity(
rtc::SSLIdentity::Generate(common_name, rtc::KeyParams()));
- rtc::SSLConfig ssl_config;
- if (ignore_bad_cert) {
- ssl_config.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- }
- adapter->SetSSLConfig(ssl_config);
+ adapter->SetIgnoreBadCert(ignore_bad_cert);
socket = adapter;
}
socket->Bind(int_addr);
diff --git a/p2p/base/turnport.cc b/p2p/base/turnport.cc
index a406d13..0883534 100644
--- a/p2p/base/turnport.cc
+++ b/p2p/base/turnport.cc
@@ -244,47 +244,8 @@
username,
password),
server_address_(server_address),
- tls_cert_verifier_(tls_cert_verifier),
- credentials_(credentials),
- socket_(NULL),
- resolver_(NULL),
- error_(0),
- request_manager_(thread),
- next_channel_number_(TURN_CHANNEL_NUMBER_START),
- state_(STATE_CONNECTING),
- server_priority_(server_priority),
- allocate_mismatch_retries_(0),
- turn_customizer_(customizer) {
- ssl_config_.tls_alpn_protocols = tls_alpn_protocols;
- ssl_config_.tls_elliptic_curves = tls_elliptic_curves;
- request_manager_.SignalSendPacket.connect(this, &TurnPort::OnSendStunPacket);
- request_manager_.set_origin(origin);
-}
-
-TurnPort::TurnPort(rtc::Thread* thread,
- rtc::PacketSocketFactory* factory,
- rtc::Network* network,
- uint16_t min_port,
- uint16_t max_port,
- const std::string& username,
- const std::string& password,
- const ProtocolAddress& server_address,
- const RelayCredentials& credentials,
- int server_priority,
- const std::string& origin,
- webrtc::TurnCustomizer* customizer,
- const rtc::SSLConfig& ssl_config,
- rtc::SSLCertificateVerifier* tls_cert_verifier)
- : Port(thread,
- RELAY_PORT_TYPE,
- factory,
- network,
- min_port,
- max_port,
- username,
- password),
- server_address_(server_address),
- ssl_config_(ssl_config),
+ tls_alpn_protocols_(tls_alpn_protocols),
+ tls_elliptic_curves_(tls_elliptic_curves),
tls_cert_verifier_(tls_cert_verifier),
credentials_(credentials),
socket_(NULL),
@@ -328,20 +289,20 @@
return server_address_.proto;
}
-void TurnPort::SetTlsCertPolicy(TlsCertPolicy tls_cert_policy) {
- switch (tls_cert_policy) {
- case TlsCertPolicy::TLS_CERT_POLICY_SECURE:
- ssl_config_.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
- break;
- case TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK:
- ssl_config_.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- break;
- }
+TlsCertPolicy TurnPort::GetTlsCertPolicy() const {
+ return tls_cert_policy_;
}
-const rtc::SSLConfig& TurnPort::GetSslConfig() const {
- return ssl_config_;
+void TurnPort::SetTlsCertPolicy(TlsCertPolicy tls_cert_policy) {
+ tls_cert_policy_ = tls_cert_policy;
+}
+
+std::vector<std::string> TurnPort::GetTlsAlpnProtocols() const {
+ return tls_alpn_protocols_;
+}
+
+std::vector<std::string> TurnPort::GetTlsEllipticCurves() const {
+ return tls_elliptic_curves_;
}
void TurnPort::PrepareAddress() {
@@ -401,8 +362,8 @@
// Apply server address TLS and insecure bits to options.
if (server_address_.proto == PROTO_TLS) {
- if (ssl_config_.tls_cert_policy ==
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) {
+ if (tls_cert_policy_ ==
+ TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) {
opts |= rtc::PacketSocketFactory::OPT_TLS_INSECURE;
} else {
opts |= rtc::PacketSocketFactory::OPT_TLS;
@@ -411,8 +372,9 @@
rtc::PacketSocketTcpOptions tcp_options;
tcp_options.opts = opts;
+ tcp_options.tls_alpn_protocols = tls_alpn_protocols_;
+ tcp_options.tls_elliptic_curves = tls_elliptic_curves_;
tcp_options.tls_cert_verifier = tls_cert_verifier_;
- tcp_options.ssl_config = ssl_config_;
socket_ = socket_factory()->CreateClientTcpSocket(
rtc::SocketAddress(Network()->GetBestIP(), 0), server_address_.address,
proxy(), user_agent(), tcp_options);
diff --git a/p2p/base/turnport.h b/p2p/base/turnport.h
index 0d9192f..5955aaf 100644
--- a/p2p/base/turnport.h
+++ b/p2p/base/turnport.h
@@ -22,7 +22,6 @@
#include "p2p/client/basicportallocator.h"
#include "rtc_base/asyncinvoker.h"
#include "rtc_base/asyncpacketsocket.h"
-#include "rtc_base/ssladapter.h"
#include "rtc_base/sslcertificate.h"
namespace rtc {
@@ -67,7 +66,6 @@
customizer);
}
- // Deprecated. TODO(diogor, webrtc:9673): Remove this constructor.
// Create a TURN port that will use a new socket, bound to |network| and
// using a port in the range between |min_port| and |max_port|.
static TurnPort* Create(
@@ -86,34 +84,10 @@
const std::vector<std::string>& tls_elliptic_curves,
webrtc::TurnCustomizer* customizer,
rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) {
- rtc::SSLConfig ssl_config;
- ssl_config.tls_alpn_protocols = tls_alpn_protocols;
- ssl_config.tls_elliptic_curves = tls_elliptic_curves;
return new TurnPort(thread, factory, network, min_port, max_port, username,
password, server_address, credentials, server_priority,
- origin, customizer, ssl_config, tls_cert_verifier);
- }
-
- // Create a TURN port that will use a new socket, bound to |network| and
- // using a port in the range between |min_port| and |max_port|.
- static TurnPort* Create(
- rtc::Thread* thread,
- rtc::PacketSocketFactory* factory,
- rtc::Network* network,
- uint16_t min_port,
- uint16_t max_port,
- const std::string& username, // ice username.
- const std::string& password, // ice password.
- const ProtocolAddress& server_address,
- const RelayCredentials& credentials,
- int server_priority,
- const std::string& origin,
- webrtc::TurnCustomizer* customizer,
- const rtc::SSLConfig& ssl_config,
- rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) {
- return new TurnPort(thread, factory, network, min_port, max_port, username,
- password, server_address, credentials, server_priority,
- origin, customizer, ssl_config, tls_cert_verifier);
+ origin, tls_alpn_protocols, tls_elliptic_curves,
+ customizer, tls_cert_verifier);
}
~TurnPort() override;
@@ -130,11 +104,11 @@
ProtocolType GetProtocol() const override;
- // Deprecated. SSLConfig should be used instead.
- // TODO(diogor, webrtc:9673): Remove this.
+ virtual TlsCertPolicy GetTlsCertPolicy() const;
virtual void SetTlsCertPolicy(TlsCertPolicy tls_cert_policy);
- virtual const rtc::SSLConfig& GetSslConfig() const;
+ virtual std::vector<std::string> GetTlsAlpnProtocols() const;
+ virtual std::vector<std::string> GetTlsEllipticCurves() const;
// Release a TURN allocation by sending a refresh with lifetime 0.
// Sets state to STATE_RECEIVEONLY.
@@ -246,21 +220,6 @@
webrtc::TurnCustomizer* customizer,
rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr);
- TurnPort(rtc::Thread* thread,
- rtc::PacketSocketFactory* factory,
- rtc::Network* network,
- uint16_t min_port,
- uint16_t max_port,
- const std::string& username,
- const std::string& password,
- const ProtocolAddress& server_address,
- const RelayCredentials& credentials,
- int server_priority,
- const std::string& origin,
- webrtc::TurnCustomizer* customizer,
- const rtc::SSLConfig& ssl_config,
- rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr);
-
// NOTE: This method needs to be accessible for StacPort
// return true if entry was created (i.e channel_number consumed).
bool CreateOrRefreshEntry(const rtc::SocketAddress& addr,
@@ -345,7 +304,9 @@
size_t size, bool payload);
ProtocolAddress server_address_;
- rtc::SSLConfig ssl_config_;
+ TlsCertPolicy tls_cert_policy_ = TlsCertPolicy::TLS_CERT_POLICY_SECURE;
+ std::vector<std::string> tls_alpn_protocols_;
+ std::vector<std::string> tls_elliptic_curves_;
rtc::SSLCertificateVerifier* tls_cert_verifier_;
RelayCredentials credentials_;
AttemptedServerSet attempted_server_addresses_;
diff --git a/p2p/base/turnport_unittest.cc b/p2p/base/turnport_unittest.cc
index 73f469d..bac35e8 100644
--- a/p2p/base/turnport_unittest.cc
+++ b/p2p/base/turnport_unittest.cc
@@ -270,16 +270,21 @@
const ProtocolAddress& server_address,
const std::string& origin) {
RelayCredentials credentials(username, password);
- rtc::SSLConfig ssl_config;
- ssl_config.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- turn_port_.reset(TurnPort::Create(&main_, &socket_factory_, network, 0, 0,
- kIceUfrag1, kIcePwd1, server_address,
- credentials, 0, origin,
- turn_customizer_.get(), ssl_config));
+ turn_port_.reset(TurnPort::Create(
+ &main_, &socket_factory_, network, 0, 0, kIceUfrag1, kIcePwd1,
+ server_address, credentials, 0, origin, std::vector<std::string>(),
+ std::vector<std::string>(), turn_customizer_.get()));
// This TURN port will be the controlling.
turn_port_->SetIceRole(ICEROLE_CONTROLLING);
ConnectSignals();
+
+ if (server_address.proto == cricket::PROTO_TLS) {
+ // The test TURN server has a self-signed certificate so will not pass
+ // the normal client validation. Instruct the client to ignore certificate
+ // errors for testing only.
+ turn_port_->SetTlsCertPolicy(
+ TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK);
+ }
}
void CreateSharedTurnPort(const std::string& username,
diff --git a/p2p/client/turnportfactory.cc b/p2p/client/turnportfactory.cc
index 68ceff4..6404134 100644
--- a/p2p/client/turnportfactory.cc
+++ b/p2p/client/turnportfactory.cc
@@ -26,29 +26,20 @@
args.username, args.password, *args.server_address,
args.config->credentials, args.config->priority, args.origin,
args.turn_customizer);
+ port->SetTlsCertPolicy(args.config->tls_cert_policy);
return std::unique_ptr<Port>(port);
}
std::unique_ptr<Port> TurnPortFactory::Create(const CreateRelayPortArgs& args,
int min_port,
int max_port) {
- rtc::SSLConfig ssl_config = args.config->ssl_config;
- if (!args.config->tls_alpn_protocols.empty()) {
- ssl_config.tls_alpn_protocols = args.config->tls_alpn_protocols;
- }
- if (!args.config->tls_elliptic_curves.empty()) {
- ssl_config.tls_elliptic_curves = args.config->tls_elliptic_curves;
- }
- if (args.config->tls_cert_policy ==
- TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK) {
- ssl_config.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- }
TurnPort* port = TurnPort::Create(
args.network_thread, args.socket_factory, args.network, min_port,
max_port, args.username, args.password, *args.server_address,
args.config->credentials, args.config->priority, args.origin,
- args.turn_customizer, ssl_config, args.config->tls_cert_verifier);
+ args.config->tls_alpn_protocols, args.config->tls_elliptic_curves,
+ args.turn_customizer, args.config->tls_cert_verifier);
+ port->SetTlsCertPolicy(args.config->tls_cert_policy);
return std::unique_ptr<Port>(port);
}
diff --git a/pc/iceserverparsing.cc b/pc/iceserverparsing.cc
index 74d1ed2..806fb3b 100644
--- a/pc/iceserverparsing.cc
+++ b/pc/iceserverparsing.cc
@@ -14,7 +14,6 @@
#include <string>
#include "rtc_base/arraysize.h"
-#include "rtc_base/ssladapter.h"
namespace webrtc {
@@ -255,22 +254,13 @@
}
cricket::RelayServerConfig config = cricket::RelayServerConfig(
socket_address, username, server.password, turn_transport_type);
-
- config.ssl_config = server.ssl_config;
-
if (server.tls_cert_policy ==
PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) {
- config.ssl_config.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
+ config.tls_cert_policy =
+ cricket::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
}
- if (!server.ssl_config.tls_alpn_protocols.has_value() &&
- !server.tls_alpn_protocols.empty()) {
- config.ssl_config.tls_alpn_protocols = server.tls_alpn_protocols;
- }
- if (!server.ssl_config.tls_elliptic_curves.has_value() &&
- !server.tls_elliptic_curves.empty()) {
- config.ssl_config.tls_elliptic_curves = server.tls_elliptic_curves;
- }
+ config.tls_alpn_protocols = server.tls_alpn_protocols;
+ config.tls_elliptic_curves = server.tls_elliptic_curves;
turn_servers->push_back(config);
break;
diff --git a/pc/iceserverparsing_unittest.cc b/pc/iceserverparsing_unittest.cc
index b95f9a5..4ec7a89 100644
--- a/pc/iceserverparsing_unittest.cc
+++ b/pc/iceserverparsing_unittest.cc
@@ -86,16 +86,16 @@
EXPECT_EQ(0U, stun_servers_.size());
EXPECT_EQ(1U, turn_servers_.size());
EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto);
- EXPECT_TRUE(turn_servers_[0].ssl_config.tls_cert_policy ==
- rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE);
+ EXPECT_TRUE(turn_servers_[0].tls_cert_policy ==
+ cricket::TlsCertPolicy::TLS_CERT_POLICY_SECURE);
EXPECT_TRUE(ParseUrl(
"turns:hostname", "username", "password",
PeerConnectionInterface::TlsCertPolicy::kTlsCertPolicyInsecureNoCheck));
EXPECT_EQ(0U, stun_servers_.size());
EXPECT_EQ(1U, turn_servers_.size());
- EXPECT_TRUE(turn_servers_[0].ssl_config.tls_cert_policy ==
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK);
+ EXPECT_TRUE(turn_servers_[0].tls_cert_policy ==
+ cricket::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK);
EXPECT_EQ(cricket::PROTO_TLS, turn_servers_[0].ports[0].proto);
// invalid prefixes
diff --git a/rtc_base/openssladapter.cc b/rtc_base/openssladapter.cc
index 2662b37..50284a6 100644
--- a/rtc_base/openssladapter.cc
+++ b/rtc_base/openssladapter.cc
@@ -209,6 +209,7 @@
ssl_(nullptr),
ssl_ctx_(nullptr),
ssl_mode_(SSL_MODE_TLS),
+ ignore_bad_cert_(false),
custom_cert_verifier_status_(false) {
// If a factory is used, take a reference on the factory's SSL_CTX.
// Otherwise, we'll create our own later.
@@ -225,8 +226,16 @@
Cleanup();
}
-void OpenSSLAdapter::SetSSLConfig(const SSLConfig& ssl_config) {
- ssl_config_ = ssl_config;
+void OpenSSLAdapter::SetIgnoreBadCert(bool ignore) {
+ ignore_bad_cert_ = ignore;
+}
+
+void OpenSSLAdapter::SetAlpnProtocols(const std::vector<std::string>& protos) {
+ alpn_protocols_ = protos;
+}
+
+void OpenSSLAdapter::SetEllipticCurves(const std::vector<std::string>& curves) {
+ elliptic_curves_ = curves;
}
void OpenSSLAdapter::SetMode(SSLMode mode) {
@@ -260,7 +269,7 @@
SSLAdapter* adapter = SSLAdapter::Create(socket);
adapter->SetIdentity(identity_->GetReference());
adapter->SetRole(rtc::SSL_SERVER);
- adapter->SetSSLConfig(ssl_config_);
+ adapter->SetIgnoreBadCert(ignore_bad_cert_);
adapter->StartSSL("", false);
return adapter;
}
@@ -358,28 +367,13 @@
}
#ifdef OPENSSL_IS_BORINGSSL
- // Potentially set a couple common TLS extensions; even though we don't use
- // them yet.
- if (ssl_config_.enable_ocsp_stapling) {
- SSL_enable_ocsp_stapling(ssl_);
- }
- if (ssl_config_.enable_signed_cert_timestamp) {
- SSL_enable_signed_cert_timestamps(ssl_);
- }
- SSL_CTX_set_grease_enabled(ssl_ctx_, ssl_config_.enable_grease);
+ // Set a couple common TLS extensions; even though we don't use them yet.
+ SSL_enable_ocsp_stapling(ssl_);
+ SSL_enable_signed_cert_timestamps(ssl_);
#endif
- if (ssl_config_.max_ssl_version.has_value()) {
- SSL_set_max_proto_version(ssl_, ssl_config_.max_ssl_version.value());
- }
-
- if (ssl_config_.enable_tls_channel_id) {
- SSL_enable_tls_channel_id(ssl_);
- }
-
- if (ssl_config_.tls_alpn_protocols.has_value()) {
- std::string tls_alpn_string =
- TransformAlpnProtocols(ssl_config_.tls_alpn_protocols.value());
+ if (!alpn_protocols_.empty()) {
+ std::string tls_alpn_string = TransformAlpnProtocols(alpn_protocols_);
if (!tls_alpn_string.empty()) {
SSL_set_alpn_protos(
ssl_, reinterpret_cast<const unsigned char*>(tls_alpn_string.data()),
@@ -387,9 +381,8 @@
}
}
- if (ssl_config_.tls_elliptic_curves.has_value()) {
- SSL_set1_curves_list(
- ssl_, rtc::join(ssl_config_.tls_elliptic_curves.value(), ':').c_str());
+ if (!elliptic_curves_.empty()) {
+ SSL_set1_curves_list(ssl_, rtc::join(elliptic_curves_, ':').c_str());
}
// Now that the initial config is done, transfer ownership of |bio| to the
@@ -801,10 +794,10 @@
openssl::VerifyPeerCertMatchesHost(ssl, host) &&
(SSL_get_verify_result(ssl) == X509_V_OK || custom_cert_verifier_status_);
- if (!is_valid_cert_name && ShouldIgnoreBadCert()) {
+ if (!is_valid_cert_name && ignore_bad_cert_) {
RTC_DLOG(LS_WARNING) << "Other TLS post connection checks failed. "
- "TLS cert policy set to ignore bad certs. "
- "Overriding name verification failure!";
+ "ignore_bad_cert_ set to true. Overriding name "
+ "verification failure!";
is_valid_cert_name = true;
}
return is_valid_cert_name;
@@ -877,7 +870,7 @@
}
// Should only be used for debugging and development.
- if (!ok && stream->ShouldIgnoreBadCert()) {
+ if (!ok && stream->ignore_bad_cert_) {
RTC_DLOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
ok = 1;
}
@@ -948,11 +941,6 @@
return ctx;
}
-bool OpenSSLAdapter::ShouldIgnoreBadCert() {
- return ssl_config_.tls_cert_policy ==
- TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
-}
-
std::string TransformAlpnProtocols(
const std::vector<std::string>& alpn_protocols) {
// Transforms the alpn_protocols list to the format expected by
diff --git a/rtc_base/openssladapter.h b/rtc_base/openssladapter.h
index 9455f0f..50a7c08 100644
--- a/rtc_base/openssladapter.h
+++ b/rtc_base/openssladapter.h
@@ -45,7 +45,9 @@
SSLCertificateVerifier* ssl_cert_verifier = nullptr);
~OpenSSLAdapter() override;
- void SetSSLConfig(const SSLConfig& ssl_config) override;
+ void SetIgnoreBadCert(bool ignore) override;
+ void SetAlpnProtocols(const std::vector<std::string>& protos) override;
+ void SetEllipticCurves(const std::vector<std::string>& curves) override;
void SetMode(SSLMode mode) override;
void SetCertVerifier(SSLCertificateVerifier* ssl_cert_verifier) override;
void SetIdentity(SSLIdentity* identity) override;
@@ -93,9 +95,6 @@
void Error(const char* context, int err, bool signal = true);
void Cleanup();
- // If true, the server certificate need not match the configured hostname.
- bool ShouldIgnoreBadCert();
-
// Return value and arguments have the same meanings as for Send; |error| is
// an output parameter filled with the result of SSL_get_error.
int DoSslWrite(const void* pv, size_t cb, int* error);
@@ -139,8 +138,12 @@
std::string ssl_host_name_;
// Set the adapter to DTLS or TLS mode before creating the context.
SSLMode ssl_mode_;
- // SSL configuration for this session.
- SSLConfig ssl_config_;
+ // If true, the server certificate need not match the configured hostname.
+ bool ignore_bad_cert_;
+ // List of protocols to be used in the TLS ALPN extension.
+ std::vector<std::string> alpn_protocols_;
+ // List of elliptic curves to be used in the TLS elliptic curves extension.
+ std::vector<std::string> elliptic_curves_;
// Holds the result of the call to run of the ssl_cert_verify_->Verify()
bool custom_cert_verifier_status_;
};
diff --git a/rtc_base/ssladapter.cc b/rtc_base/ssladapter.cc
index debbd65..e091f00 100644
--- a/rtc_base/ssladapter.cc
+++ b/rtc_base/ssladapter.cc
@@ -16,12 +16,6 @@
namespace rtc {
-SSLConfig::SSLConfig() = default;
-SSLConfig::SSLConfig(const SSLConfig&) = default;
-SSLConfig::~SSLConfig() = default;
-
-///////////////////////////////////////////////////////////////////////////////
-
SSLAdapterFactory* SSLAdapterFactory::Create() {
return new OpenSSLAdapterFactory();
}
diff --git a/rtc_base/ssladapter.h b/rtc_base/ssladapter.h
index 33f008c..4843d26 100644
--- a/rtc_base/ssladapter.h
+++ b/rtc_base/ssladapter.h
@@ -22,57 +22,6 @@
class SSLAdapter;
-// TLS certificate policy.
-enum class TlsCertPolicy {
- // For TLS based protocols, ensure the connection is secure by not
- // circumventing certificate validation.
- TLS_CERT_POLICY_SECURE,
- // For TLS based protocols, disregard security completely by skipping
- // certificate validation. This is insecure and should never be used unless
- // security is irrelevant in that particular context.
- // Do not set to this value in production code.
- // TODO(juberti): Remove the opportunistic encryption mechanism in
- // BasicPacketSocketFactory that uses this value.
- TLS_CERT_POLICY_INSECURE_NO_CHECK,
-};
-
-// SSL configuration options.
-struct SSLConfig final {
- SSLConfig();
- SSLConfig(const SSLConfig&);
- ~SSLConfig();
-
- bool operator==(const SSLConfig& o) const {
- return enable_ocsp_stapling == o.enable_ocsp_stapling &&
- enable_signed_cert_timestamp == o.enable_signed_cert_timestamp &&
- enable_tls_channel_id == o.enable_tls_channel_id &&
- enable_grease == o.enable_grease &&
- max_ssl_version == o.max_ssl_version &&
- tls_alpn_protocols == o.tls_alpn_protocols &&
- tls_elliptic_curves == o.tls_elliptic_curves;
- }
- bool operator!=(const SSLConfig& o) const { return !(*this == o); }
-
- // If true, enables the (unused) OCSP stapling TLS extension.
- bool enable_ocsp_stapling = true;
- // If true, enables the (unused) signed certificate timestamp TLS extension.
- bool enable_signed_cert_timestamp = true;
- // If true, enables the (unused) channel ID TLS extension.
- bool enable_tls_channel_id = false;
- // If true, enables the (unused) GREASE TLS extension.
- bool enable_grease = false;
- // Indicates how to process incoming certificates.
- TlsCertPolicy tls_cert_policy = TlsCertPolicy::TLS_CERT_POLICY_SECURE;
- // If set, indicates the highest supported SSL version.
- absl::optional<int> max_ssl_version;
- // If set, indicates the list of protocols to be used in the TLS ALPN
- // extension.
- absl::optional<std::vector<std::string>> tls_alpn_protocols;
- // If set, indicates the list of curves to be used in the TLS elliptic curves
- // extension.
- absl::optional<std::vector<std::string>> tls_elliptic_curves;
-};
-
// Class for creating SSL adapters with shared state, e.g., a session cache,
// which allows clients to resume SSL sessions to previously-contacted hosts.
// Clients should create the factory using Create(), set up the factory as
@@ -103,8 +52,14 @@
public:
explicit SSLAdapter(AsyncSocket* socket) : AsyncSocketAdapter(socket) {}
- // Sets the SSL configuration for this session.
- virtual void SetSSLConfig(const SSLConfig& ssl_config) = 0;
+ // Methods that control server certificate verification, used in unit tests.
+ // Do not call these methods in production code.
+ // TODO(juberti): Remove the opportunistic encryption mechanism in
+ // BasicPacketSocketFactory that uses this function.
+ virtual void SetIgnoreBadCert(bool ignore) = 0;
+
+ virtual void SetAlpnProtocols(const std::vector<std::string>& protos) = 0;
+ virtual void SetEllipticCurves(const std::vector<std::string>& curves) = 0;
// Do DTLS or TLS (default is TLS, if unspecified)
virtual void SetMode(SSLMode mode) = 0;
diff --git a/rtc_base/ssladapter_unittest.cc b/rtc_base/ssladapter_unittest.cc
index 130cf1f..ec532b1 100644
--- a/rtc_base/ssladapter_unittest.cc
+++ b/rtc_base/ssladapter_unittest.cc
@@ -67,9 +67,7 @@
// Ignore any certificate errors for the purpose of testing.
// Note: We do this only because we don't have a real certificate.
// NEVER USE THIS IN PRODUCTION CODE!
- ssl_config_.tls_cert_policy =
- rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- ssl_adapter_->SetSSLConfig(ssl_config_);
+ ssl_adapter_->SetIgnoreBadCert(true);
ssl_adapter_->SignalReadEvent.connect(
this, &SSLAdapterTestDummyClient::OnSSLAdapterReadEvent);
@@ -77,52 +75,22 @@
this, &SSLAdapterTestDummyClient::OnSSLAdapterCloseEvent);
}
- void SetTlsCertPolicy(rtc::TlsCertPolicy tls_cert_policy) {
- ssl_config_.tls_cert_policy = tls_cert_policy;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetEnableOcspStapling(bool enable_ocsp_stapling) {
- ssl_config_.enable_ocsp_stapling = enable_ocsp_stapling;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetEnableSignedCertTimestamp(bool enable_signed_cert_timestamp) {
- ssl_config_.enable_signed_cert_timestamp = enable_signed_cert_timestamp;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetEnableTlsChannelId(bool enable_tls_channel_id) {
- ssl_config_.enable_tls_channel_id = enable_tls_channel_id;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetEnableGrease(bool enable_grease) {
- ssl_config_.enable_grease = enable_grease;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetMaxSslVersion(const absl::optional<int>& max_ssl_version) {
- ssl_config_.max_ssl_version = max_ssl_version;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetAlpnProtocols(
- const absl::optional<std::vector<std::string>>& tls_alpn_protocols) {
- ssl_config_.tls_alpn_protocols = tls_alpn_protocols;
- ssl_adapter_->SetSSLConfig(ssl_config_);
- }
-
- void SetEllipticCurves(
- const absl::optional<std::vector<std::string>>& tls_elliptic_curves) {
- ssl_config_.tls_elliptic_curves = tls_elliptic_curves;
- ssl_adapter_->SetSSLConfig(ssl_config_);
+ void SetIgnoreBadCert(bool ignore_bad_cert) {
+ ssl_adapter_->SetIgnoreBadCert(ignore_bad_cert);
}
void SetCertVerifier(rtc::SSLCertificateVerifier* ssl_cert_verifier) {
ssl_adapter_->SetCertVerifier(ssl_cert_verifier);
}
+ void SetAlpnProtocols(const std::vector<std::string>& protos) {
+ ssl_adapter_->SetAlpnProtocols(protos);
+ }
+
+ void SetEllipticCurves(const std::vector<std::string>& curves) {
+ ssl_adapter_->SetEllipticCurves(curves);
+ }
+
rtc::SocketAddress GetAddress() const {
return ssl_adapter_->GetLocalAddress();
}
@@ -186,8 +154,6 @@
std::unique_ptr<rtc::SSLAdapter> ssl_adapter_;
- rtc::SSLConfig ssl_config_;
-
std::string data_;
};
@@ -339,51 +305,29 @@
void SetHandshakeWait(int wait) { handshake_wait_ = wait; }
- void SetTlsCertPolicy(rtc::TlsCertPolicy tls_cert_policy) {
- client_->SetTlsCertPolicy(tls_cert_policy);
- }
-
- void SetEnableOcspStapling(bool enable_ocsp_stapling) {
- client_->SetEnableOcspStapling(enable_ocsp_stapling);
- }
-
- void SetEnableSignedCertTimestamp(bool enable_signed_cert_timestamp) {
- client_->SetEnableSignedCertTimestamp(enable_signed_cert_timestamp);
- }
-
- void SetEnableTlsChannelId(bool enable_tls_channel_id) {
- client_->SetEnableTlsChannelId(enable_tls_channel_id);
- }
-
- void SetEnableGrease(bool enable_grease) {
- client_->SetEnableGrease(enable_grease);
- }
-
- void SetMaxSslVersion(const absl::optional<int>& max_ssl_version) {
- client_->SetMaxSslVersion(max_ssl_version);
- }
-
- void SetAlpnProtocols(
- const absl::optional<std::vector<std::string>>& tls_alpn_protocols) {
- client_->SetAlpnProtocols(tls_alpn_protocols);
- }
-
- void SetEllipticCurves(
- const absl::optional<std::vector<std::string>>& tls_elliptic_curves) {
- client_->SetEllipticCurves(tls_elliptic_curves);
+ void SetIgnoreBadCert(bool ignore_bad_cert) {
+ client_->SetIgnoreBadCert(ignore_bad_cert);
}
void SetCertVerifier(rtc::SSLCertificateVerifier* ssl_cert_verifier) {
client_->SetCertVerifier(ssl_cert_verifier);
}
+ void SetAlpnProtocols(const std::vector<std::string>& protos) {
+ client_->SetAlpnProtocols(protos);
+ }
+
+ void SetEllipticCurves(const std::vector<std::string>& curves) {
+ client_->SetEllipticCurves(curves);
+ }
+
void SetMockCertVerifier(bool return_value) {
auto mock_verifier = absl::make_unique<MockCertVerifier>();
EXPECT_CALL(*mock_verifier, Verify(_)).WillRepeatedly(Return(return_value));
cert_verifier_ =
std::unique_ptr<rtc::SSLCertificateVerifier>(std::move(mock_verifier));
- SetTlsCertPolicy(rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE);
+ SetIgnoreBadCert(false);
SetCertVerifier(cert_verifier_.get());
}
@@ -581,76 +525,6 @@
TestTransfer("Hello, world!");
}
-// Test transfer with OCSP stapling enabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestOcspStaplingEnabled) {
- SetEnableOcspStapling(true);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with OCSP stapling disabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestOcspStaplingDisabled) {
- SetEnableOcspStapling(false);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// test transfer with signed cert timestamp enabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestSignedCertTimestampEnabled) {
- SetEnableSignedCertTimestamp(true);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with signed cert timestamp disabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestSignedCertTimestampDisabled) {
- SetEnableSignedCertTimestamp(false);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with TLS channel ID enabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSChannelIdEnabled) {
- SetEnableTlsChannelId(true);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with TLS channel ID disabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSChannelIdDisabled) {
- SetEnableTlsChannelId(false);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with GREASE enabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestGreaseEnabled) {
- SetEnableGrease(true);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with GREASE disabled
-TEST_F(SSLAdapterTestTLS_ECDSA, TestGreaseDisabled) {
- SetEnableGrease(false);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with TLS1_3.
-TEST_F(SSLAdapterTestTLS_ECDSA, TestMaxSSLVersionTLS1_3) {
- SetMaxSslVersion(0x0304 /* TLS1_3 */);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
-// Test transfer with TLS1_2.
-TEST_F(SSLAdapterTestTLS_ECDSA, TestMaxSSLVersionTLS1_2) {
- SetMaxSslVersion(0x0303 /* TLS1_2 */);
- TestHandshake(true);
- TestTransfer("Hello, world!");
-}
-
// Test transfer using ALPN with protos as h2 and http/1.1
TEST_F(SSLAdapterTestTLS_ECDSA, TestTLSALPN) {
std::vector<std::string> alpn_protos{"h2", "http/1.1"};
diff --git a/sdk/BUILD.gn b/sdk/BUILD.gn
index 4930ad5..36909e2 100644
--- a/sdk/BUILD.gn
+++ b/sdk/BUILD.gn
@@ -870,9 +870,6 @@
"objc/api/peerconnection/RTCRtpTransceiver.mm",
"objc/api/peerconnection/RTCSSLAdapter.h",
"objc/api/peerconnection/RTCSSLAdapter.mm",
- "objc/api/peerconnection/RTCSSLConfig+Native.h",
- "objc/api/peerconnection/RTCSSLConfig.h",
- "objc/api/peerconnection/RTCSSLConfig.mm",
"objc/api/peerconnection/RTCSessionDescription+Private.h",
"objc/api/peerconnection/RTCSessionDescription.h",
"objc/api/peerconnection/RTCSessionDescription.mm",
@@ -988,7 +985,6 @@
"objc/Framework/Headers/WebRTC/RTCRtpSender.h",
"objc/Framework/Headers/WebRTC/RTCRtpTransceiver.h",
"objc/Framework/Headers/WebRTC/RTCSSLAdapter.h",
- "objc/Framework/Headers/WebRTC/RTCSSLConfig.h",
"objc/Framework/Headers/WebRTC/RTCSessionDescription.h",
"objc/Framework/Headers/WebRTC/RTCTracing.h",
"objc/Framework/Headers/WebRTC/RTCVideoCapturer.h",
diff --git a/sdk/android/BUILD.gn b/sdk/android/BUILD.gn
index 1013f0b..080684a 100644
--- a/sdk/android/BUILD.gn
+++ b/sdk/android/BUILD.gn
@@ -306,7 +306,6 @@
"api/org/webrtc/RtpSender.java",
"api/org/webrtc/RtpTransceiver.java",
"api/org/webrtc/SSLCertificateVerifier.java",
- "api/org/webrtc/SslConfig.java",
"api/org/webrtc/SdpObserver.java",
"api/org/webrtc/SessionDescription.java",
"api/org/webrtc/StatsObserver.java",
@@ -649,8 +648,6 @@
"src/jni/pc/sessiondescription.h",
"src/jni/pc/sslcertificateverifierwrapper.cc",
"src/jni/pc/sslcertificateverifierwrapper.h",
- "src/jni/pc/sslconfig.cc",
- "src/jni/pc/sslconfig.h",
"src/jni/pc/statsobserver.cc",
"src/jni/pc/statsobserver.h",
"src/jni/pc/turncustomizer.cc",
@@ -1196,7 +1193,6 @@
"api/org/webrtc/SSLCertificateVerifier.java",
"api/org/webrtc/SdpObserver.java",
"api/org/webrtc/SessionDescription.java",
- "api/org/webrtc/SslConfig.java",
"api/org/webrtc/StatsObserver.java",
"api/org/webrtc/StatsReport.java",
"api/org/webrtc/TurnCustomizer.java",
diff --git a/sdk/android/api/org/webrtc/PeerConnection.java b/sdk/android/api/org/webrtc/PeerConnection.java
index 2161711..2f9adcf 100644
--- a/sdk/android/api/org/webrtc/PeerConnection.java
+++ b/sdk/android/api/org/webrtc/PeerConnection.java
@@ -50,7 +50,6 @@
}
}
- // TODO(diogor, webrtc:9673): Remove TlsCertPolicy. It's deprecated, in favor of SslConfig.
/** Tracks PeerConnectionInterface::TlsCertPolicy */
public enum TlsCertPolicy {
TLS_CERT_POLICY_SECURE,
@@ -127,9 +126,7 @@
public final List<String> urls;
public final String username;
public final String password;
- // TODO(diogor, webrtc:9673): Remove tlsCertPolicy from this API.
- // This field will be ignored if tlsCertPolicy is also set in SslConfig.
- @Deprecated public final TlsCertPolicy tlsCertPolicy;
+ public final TlsCertPolicy tlsCertPolicy;
// If the URIs in |urls| only contain IP addresses, this field can be used
// to indicate the hostname, which may be necessary for TLS (using the SNI
@@ -137,18 +134,12 @@
// necessary.
public final String hostname;
- // TODO(diogor, webrtc:9673): Remove tlsAlpnProtocols from this API.
// List of protocols to be used in the TLS ALPN extension.
- @Deprecated public final List<String> tlsAlpnProtocols;
+ public final List<String> tlsAlpnProtocols;
- // TODO(diogor, webrtc:9673): Remove tlsEllipticCurves from this API.
// List of elliptic curves to be used in the TLS elliptic curves extension.
// Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
- // This field will be ignored if tlsEllipticCurves is also set in SslConfig.
- @Deprecated public final List<String> tlsEllipticCurves;
-
- // SSL configuration options for any SSL/TLS connections to this IceServer.
- public final SslConfig sslConfig;
+ public final List<String> tlsEllipticCurves;
/** Convenience constructor for STUN servers. */
@Deprecated
@@ -170,12 +161,12 @@
public IceServer(String uri, String username, String password, TlsCertPolicy tlsCertPolicy,
String hostname) {
this(uri, Collections.singletonList(uri), username, password, tlsCertPolicy, hostname, null,
- null, SslConfig.builder().createSslConfig());
+ null);
}
private IceServer(String uri, List<String> urls, String username, String password,
TlsCertPolicy tlsCertPolicy, String hostname, List<String> tlsAlpnProtocols,
- List<String> tlsEllipticCurves, SslConfig sslConfig) {
+ List<String> tlsEllipticCurves) {
if (uri == null || urls == null || urls.isEmpty()) {
throw new IllegalArgumentException("uri == null || urls == null || urls.isEmpty()");
}
@@ -201,13 +192,12 @@
this.hostname = hostname;
this.tlsAlpnProtocols = tlsAlpnProtocols;
this.tlsEllipticCurves = tlsEllipticCurves;
- this.sslConfig = sslConfig;
}
@Override
public String toString() {
return urls + " [" + username + ":" + password + "] [" + tlsCertPolicy + "] [" + hostname
- + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "] [" + sslConfig + "]";
+ + "] [" + tlsAlpnProtocols + "] [" + tlsEllipticCurves + "]";
}
public static Builder builder(String uri) {
@@ -226,7 +216,6 @@
private String hostname = "";
private List<String> tlsAlpnProtocols;
private List<String> tlsEllipticCurves;
- private SslConfig sslConfig = SslConfig.builder().createSslConfig();
private Builder(List<String> urls) {
if (urls == null || urls.isEmpty()) {
@@ -245,7 +234,6 @@
return this;
}
- @Deprecated
public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) {
this.tlsCertPolicy = tlsCertPolicy;
return this;
@@ -256,26 +244,19 @@
return this;
}
- @Deprecated
public Builder setTlsAlpnProtocols(List<String> tlsAlpnProtocols) {
this.tlsAlpnProtocols = tlsAlpnProtocols;
return this;
}
- @Deprecated
public Builder setTlsEllipticCurves(List<String> tlsEllipticCurves) {
this.tlsEllipticCurves = tlsEllipticCurves;
return this;
}
- public Builder setSslConfig(SslConfig sslConfig) {
- this.sslConfig = sslConfig;
- return this;
- }
-
public IceServer createIceServer() {
return new IceServer(urls.get(0), urls, username, password, tlsCertPolicy, hostname,
- tlsAlpnProtocols, tlsEllipticCurves, sslConfig);
+ tlsAlpnProtocols, tlsEllipticCurves);
}
}
@@ -317,11 +298,6 @@
List<String> getTlsEllipticCurves() {
return tlsEllipticCurves;
}
-
- @CalledByNative("IceServer")
- SslConfig getSslConfig() {
- return sslConfig;
- }
}
/** Java version of PeerConnectionInterface.IceTransportsType */
diff --git a/sdk/android/api/org/webrtc/SslConfig.java b/sdk/android/api/org/webrtc/SslConfig.java
deleted file mode 100644
index 7a94928..0000000
--- a/sdk/android/api/org/webrtc/SslConfig.java
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-package org.webrtc;
-
-import java.util.Collections;
-import java.util.List;
-import javax.annotation.Nullable;
-
-/**
- * Java version of rtc::SSLConfig.
- *
- * Contains the configuration of any SSL/TLS connections that are initiated by
- * our client.
- */
-public class SslConfig {
- /** Tracks rtc::TlsCertPolicy */
- public enum TlsCertPolicy {
- TLS_CERT_POLICY_SECURE,
- TLS_CERT_POLICY_INSECURE_NO_CHECK,
- }
-
- /** Indicates whether to enable OCSP stapling in TLS. */
- public final boolean enableOcspStapling;
- /** Indicates whether to enable the signed certificate timestamp extension in TLS. */
- public final boolean enableSignedCertTimestamp;
- /** Indicates whether to enable the TLS Channel ID extension. */
- public final boolean enableTlsChannelId;
- /** Indicates whether to enable the TLS GREASE extension. */
- public final boolean enableGrease;
-
- /** Indicates how to process TURN server certificates */
- public final TlsCertPolicy tlsCertPolicy;
-
- /**
- * Highest supported SSL version, as defined in the supported_versions TLS extension.
- * If null, the default OpenSSL/BoringSSL max version will be used.
- */
- @Nullable public final Integer maxSslVersion;
-
- /**
- * List of protocols to be used in the TLS ALPN extension.
- * If null, the default list of OpenSSL/BoringSSL ALPN protocols will be used.
- */
- @Nullable public final List<String> tlsAlpnProtocols;
-
- /**
- * List of elliptic curves to be used in the TLS elliptic curves extension.
- * Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
- * If null, the default list of OpenSSL/BoringSSL curves will be used.
- */
- @Nullable public final List<String> tlsEllipticCurves;
-
- private SslConfig(boolean enableOcspStapling, boolean enableSignedCertTimestamp,
- boolean enableTlsChannelId, boolean enableGrease, TlsCertPolicy tlsCertPolicy,
- Integer maxSslVersion, List<String> tlsAlpnProtocols, List<String> tlsEllipticCurves) {
- this.enableOcspStapling = enableOcspStapling;
- this.enableSignedCertTimestamp = enableSignedCertTimestamp;
- this.enableTlsChannelId = enableTlsChannelId;
- this.enableGrease = enableGrease;
- this.tlsCertPolicy = tlsCertPolicy;
- this.maxSslVersion = maxSslVersion;
- if (tlsAlpnProtocols != null) {
- this.tlsAlpnProtocols = Collections.unmodifiableList(tlsAlpnProtocols);
- } else {
- this.tlsAlpnProtocols = null;
- }
- if (tlsEllipticCurves != null) {
- this.tlsEllipticCurves = Collections.unmodifiableList(tlsEllipticCurves);
- } else {
- this.tlsEllipticCurves = null;
- }
- }
-
- @Override
- public String toString() {
- return "[enableOcspStapling=" + enableOcspStapling + "] [enableSignedCertTimestamp="
- + enableSignedCertTimestamp + "] [enableTlsChannelId=" + enableTlsChannelId
- + "] [enableGrease=" + enableGrease + "] [tlsCertPolicy=" + tlsCertPolicy
- + "] [maxSslVersion=" + maxSslVersion + "] [tlsAlpnProtocols=" + tlsAlpnProtocols
- + "] [tlsEllipticCurves=" + tlsEllipticCurves + "]";
- }
-
- public static Builder builder() {
- return new Builder();
- }
-
- public static class Builder {
- private boolean enableOcspStapling;
- private boolean enableSignedCertTimestamp;
- private boolean enableTlsChannelId;
- private boolean enableGrease;
- private TlsCertPolicy tlsCertPolicy;
- @Nullable private Integer maxSslVersion;
- @Nullable private List<String> tlsAlpnProtocols;
- @Nullable private List<String> tlsEllipticCurves;
-
- private Builder() {
- this.enableOcspStapling = true;
- this.enableSignedCertTimestamp = true;
- this.enableTlsChannelId = false;
- this.enableGrease = false;
- this.tlsCertPolicy = TlsCertPolicy.TLS_CERT_POLICY_SECURE;
- this.maxSslVersion = null;
- this.tlsAlpnProtocols = null;
- this.tlsEllipticCurves = null;
- }
-
- public Builder setEnableOcspStapling(boolean enableOcspStapling) {
- this.enableOcspStapling = enableOcspStapling;
- return this;
- }
-
- public Builder setEnableSignedCertTimestamp(boolean enableSignedCertTimestamp) {
- this.enableSignedCertTimestamp = enableSignedCertTimestamp;
- return this;
- }
-
- public Builder setEnableTlsChannelId(boolean enableTlsChannelId) {
- this.enableTlsChannelId = enableTlsChannelId;
- return this;
- }
-
- public Builder setEnableGrease(boolean enableGrease) {
- this.enableGrease = enableGrease;
- return this;
- }
-
- public Builder setTlsCertPolicy(TlsCertPolicy tlsCertPolicy) {
- this.tlsCertPolicy = tlsCertPolicy;
- return this;
- }
-
- public Builder setMaxSslVersion(int maxSslVersion) {
- this.maxSslVersion = maxSslVersion;
- return this;
- }
-
- public Builder setTlsAlpnProtocols(List<String> tlsAlpnProtocols) {
- this.tlsAlpnProtocols = tlsAlpnProtocols;
- return this;
- }
-
- public Builder setTlsEllipticCurves(List<String> tlsEllipticCurves) {
- this.tlsEllipticCurves = tlsEllipticCurves;
- return this;
- }
-
- public SslConfig createSslConfig() {
- return new SslConfig(enableOcspStapling, enableSignedCertTimestamp, enableTlsChannelId,
- enableGrease, tlsCertPolicy, maxSslVersion, tlsAlpnProtocols, tlsEllipticCurves);
- }
- }
-
- @CalledByNative
- boolean getEnableOcspStapling() {
- return enableOcspStapling;
- }
-
- @CalledByNative
- boolean getEnableSignedCertTimestamp() {
- return enableSignedCertTimestamp;
- }
-
- @CalledByNative
- boolean getEnableTlsChannelId() {
- return enableTlsChannelId;
- }
-
- @CalledByNative
- boolean getEnableGrease() {
- return enableGrease;
- }
-
- @CalledByNative
- TlsCertPolicy getTlsCertPolicy() {
- return tlsCertPolicy;
- }
-
- @Nullable
- @CalledByNative
- Integer getMaxSslVersion() {
- return maxSslVersion;
- }
-
- @Nullable
- @CalledByNative
- List<String> getTlsAlpnProtocols() {
- return tlsAlpnProtocols;
- }
-
- @Nullable
- @CalledByNative
- List<String> getTlsEllipticCurves() {
- return tlsEllipticCurves;
- }
-}
diff --git a/sdk/android/src/jni/pc/peerconnection.cc b/sdk/android/src/jni/pc/peerconnection.cc
index 1d9f945..79da797 100644
--- a/sdk/android/src/jni/pc/peerconnection.cc
+++ b/sdk/android/src/jni/pc/peerconnection.cc
@@ -51,7 +51,6 @@
#include "sdk/android/src/jni/pc/rtpsender.h"
#include "sdk/android/src/jni/pc/sdpobserver.h"
#include "sdk/android/src/jni/pc/sessiondescription.h"
-#include "sdk/android/src/jni/pc/sslconfig.h"
#include "sdk/android/src/jni/pc/statsobserver.h"
#include "sdk/android/src/jni/pc/turncustomizer.h"
@@ -88,8 +87,6 @@
Java_IceServer_getTlsAlpnProtocols(jni, j_ice_server);
ScopedJavaLocalRef<jobject> tls_elliptic_curves =
Java_IceServer_getTlsEllipticCurves(jni, j_ice_server);
- ScopedJavaLocalRef<jobject> ssl_config =
- Java_IceServer_getSslConfig(jni, j_ice_server);
PeerConnectionInterface::IceServer server;
server.urls = JavaListToNativeVector<std::string, jstring>(
jni, urls, &JavaToNativeString);
@@ -101,7 +98,6 @@
jni, tls_alpn_protocols, &JavaToNativeString);
server.tls_elliptic_curves = JavaListToNativeVector<std::string, jstring>(
jni, tls_elliptic_curves, &JavaToNativeString);
- server.ssl_config = JavaToNativeSslConfig(jni, ssl_config);
ice_servers.push_back(server);
}
return ice_servers;
diff --git a/sdk/android/src/jni/pc/sslconfig.cc b/sdk/android/src/jni/pc/sslconfig.cc
deleted file mode 100644
index 678f49a..0000000
--- a/sdk/android/src/jni/pc/sslconfig.cc
+++ /dev/null
@@ -1,78 +0,0 @@
-
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#include "sdk/android/src/jni/pc/sslconfig.h"
-
-#include <string>
-
-#include "rtc_base/ssladapter.h"
-#include "sdk/android/generated_peerconnection_jni/jni/SslConfig_jni.h"
-#include "sdk/android/native_api/jni/java_types.h"
-#include "sdk/android/src/jni/jni_helpers.h"
-
-namespace webrtc {
-namespace jni {
-
-rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy(
- JNIEnv* jni,
- const JavaRef<jobject>& j_ssl_config_tls_cert_policy) {
- std::string enum_name = GetJavaEnumName(jni, j_ssl_config_tls_cert_policy);
-
- if (enum_name == "TLS_CERT_POLICY_SECURE")
- return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
-
- if (enum_name == "TLS_CERT_POLICY_INSECURE_NO_CHECK")
- return rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
-
- RTC_NOTREACHED();
- return rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
-}
-
-rtc::SSLConfig JavaToNativeSslConfig(JNIEnv* jni,
- const JavaRef<jobject>& j_ssl_config) {
- rtc::SSLConfig ssl_config;
- ssl_config.enable_ocsp_stapling =
- Java_SslConfig_getEnableOcspStapling(jni, j_ssl_config);
- ssl_config.enable_signed_cert_timestamp =
- Java_SslConfig_getEnableSignedCertTimestamp(jni, j_ssl_config);
- ssl_config.enable_tls_channel_id =
- Java_SslConfig_getEnableTlsChannelId(jni, j_ssl_config);
- ssl_config.enable_grease = Java_SslConfig_getEnableGrease(jni, j_ssl_config);
-
- ScopedJavaLocalRef<jobject> j_ssl_config_max_ssl_version =
- Java_SslConfig_getMaxSslVersion(jni, j_ssl_config);
- ssl_config.max_ssl_version =
- JavaToNativeOptionalInt(jni, j_ssl_config_max_ssl_version);
-
- ScopedJavaLocalRef<jobject> j_ssl_config_tls_cert_policy =
- Java_SslConfig_getTlsCertPolicy(jni, j_ssl_config);
- ssl_config.tls_cert_policy =
- JavaToNativeRtcTlsCertPolicy(jni, j_ssl_config_tls_cert_policy);
-
- ScopedJavaLocalRef<jobject> j_ssl_config_tls_alpn_protocols =
- Java_SslConfig_getTlsAlpnProtocols(jni, j_ssl_config);
- if (!IsNull(jni, j_ssl_config_tls_alpn_protocols)) {
- ssl_config.tls_alpn_protocols =
- JavaListToNativeVector<std::string, jstring>(
- jni, j_ssl_config_tls_alpn_protocols, &JavaToNativeString);
- }
- ScopedJavaLocalRef<jobject> j_ssl_config_tls_elliptic_curves =
- Java_SslConfig_getTlsEllipticCurves(jni, j_ssl_config);
- if (!IsNull(jni, j_ssl_config_tls_elliptic_curves)) {
- ssl_config.tls_elliptic_curves =
- JavaListToNativeVector<std::string, jstring>(
- jni, j_ssl_config_tls_elliptic_curves, &JavaToNativeString);
- }
- return ssl_config;
-}
-
-} // namespace jni
-} // namespace webrtc
diff --git a/sdk/android/src/jni/pc/sslconfig.h b/sdk/android/src/jni/pc/sslconfig.h
deleted file mode 100644
index 38de114..0000000
--- a/sdk/android/src/jni/pc/sslconfig.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#ifndef SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
-#define SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
-
-#include "api/peerconnectioninterface.h"
-#include "sdk/android/native_api/jni/scoped_java_ref.h"
-
-namespace webrtc {
-namespace jni {
-
-rtc::TlsCertPolicy JavaToNativeRtcTlsCertPolicy(
- JNIEnv* jni,
- const JavaRef<jobject>& j_ssl_config_tls_cert_policy);
-
-rtc::SSLConfig JavaToNativeSslConfig(JNIEnv* env,
- const JavaRef<jobject>& j_ssl_config);
-
-} // namespace jni
-} // namespace webrtc
-
-#endif // SDK_ANDROID_SRC_JNI_PC_SSLCONFIG_H_
diff --git a/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h b/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h
deleted file mode 100644
index b572522..0000000
--- a/sdk/objc/Framework/Headers/WebRTC/RTCSSLConfig.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#import "api/peerconnection/RTCSSLConfig.h"
diff --git a/sdk/objc/api/peerconnection/RTCIceServer.h b/sdk/objc/api/peerconnection/RTCIceServer.h
index a9760c7..c2def04 100644
--- a/sdk/objc/api/peerconnection/RTCIceServer.h
+++ b/sdk/objc/api/peerconnection/RTCIceServer.h
@@ -11,7 +11,11 @@
#import <Foundation/Foundation.h>
#import "RTCMacros.h"
-#import "RTCSSLConfig.h"
+
+typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) {
+ RTCTlsCertPolicySecure,
+ RTCTlsCertPolicyInsecureNoCheck
+};
NS_ASSUME_NONNULL_BEGIN
@@ -28,8 +32,7 @@
@property(nonatomic, readonly, nullable) NSString *credential;
/**
- Deprecated. TODO(diogor, webrtc:9673): Remove from API.
- TLS certificate policy to use if this RTCIceServer object is a TURN server.
+ * TLS certificate policy to use if this RTCIceServer object is a TURN server.
*/
@property(nonatomic, readonly) RTCTlsCertPolicy tlsCertPolicy;
@@ -40,24 +43,15 @@
*/
@property(nonatomic, readonly, nullable) NSString *hostname;
-/**
- Deprecated. TODO(diogor, webrtc:9673): Remove from API.
- List of protocols to be used in the TLS ALPN extension.
- This field will be ignored if also set in RTCSSLConfig.
- */
+/** List of protocols to be used in the TLS ALPN extension. */
@property(nonatomic, readonly) NSArray<NSString *> *tlsAlpnProtocols;
/**
- Deprecated. TODO(diogor, webrtc:9673): Remove from API.
List elliptic curves to be used in the TLS elliptic curves extension.
Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
- This field will be ignored if also set in RTCSSLConfig.
*/
@property(nonatomic, readonly) NSArray<NSString *> *tlsEllipticCurves;
-/** SSL configuration options for any SSL/TLS connections to this IceServer. */
-@property(nonatomic, readonly) RTCSSLConfig *sslConfig;
-
- (nonnull instancetype)init NS_UNAVAILABLE;
/** Convenience initializer for a server with no authentication (e.g. STUN). */
@@ -112,17 +106,8 @@
tlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy
hostname:(nullable NSString *)hostname
tlsAlpnProtocols:(nullable NSArray<NSString *> *)tlsAlpnProtocols
- tlsEllipticCurves:(nullable NSArray<NSString *> *)tlsEllipticCurves;
-
-/**
- * Initialize an RTCIceServer with its associated URLs, optional
- * username, optional credential, hostname and SSL config.
- */
-- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
- username:(nullable NSString *)username
- credential:(nullable NSString *)credential
- hostname:(nullable NSString *)hostname
- sslConfig:(RTCSSLConfig *)sslConfig NS_DESIGNATED_INITIALIZER;
+ tlsEllipticCurves:(nullable NSArray<NSString *> *)tlsEllipticCurves
+ NS_DESIGNATED_INITIALIZER;
@end
diff --git a/sdk/objc/api/peerconnection/RTCIceServer.mm b/sdk/objc/api/peerconnection/RTCIceServer.mm
index d03fd81..2138e4c 100644
--- a/sdk/objc/api/peerconnection/RTCIceServer.mm
+++ b/sdk/objc/api/peerconnection/RTCIceServer.mm
@@ -9,7 +9,6 @@
*/
#import "RTCIceServer+Private.h"
-#import "RTCSSLConfig+Native.h"
#import "helpers/NSString+StdString.h"
@@ -22,7 +21,6 @@
@synthesize hostname = _hostname;
@synthesize tlsAlpnProtocols = _tlsAlpnProtocols;
@synthesize tlsEllipticCurves = _tlsEllipticCurves;
-@synthesize sslConfig = _sslConfig;
- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings {
return [self initWithURLStrings:urlStrings
@@ -85,50 +83,28 @@
hostname:(NSString *)hostname
tlsAlpnProtocols:(NSArray<NSString *> *)tlsAlpnProtocols
tlsEllipticCurves:(NSArray<NSString *> *)tlsEllipticCurves {
- RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] init];
- sslConfig.tlsCertPolicy = tlsCertPolicy;
- sslConfig.tlsALPNProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES];
- sslConfig.tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES];
- return [self initWithURLStrings:urlStrings
- username:username
- credential:credential
- hostname:hostname
- sslConfig:sslConfig];
-}
-
-- (instancetype)initWithURLStrings:(NSArray<NSString *> *)urlStrings
- username:(NSString *)username
- credential:(NSString *)credential
- hostname:(NSString *)hostname
- sslConfig:(RTCSSLConfig *)sslConfig {
NSParameterAssert(urlStrings.count);
if (self = [super init]) {
_urlStrings = [[NSArray alloc] initWithArray:urlStrings copyItems:YES];
_username = [username copy];
_credential = [credential copy];
+ _tlsCertPolicy = tlsCertPolicy;
_hostname = [hostname copy];
- _sslConfig = sslConfig;
-
- // TODO(diogor, webrtc:9673): Remove these duplicate assignments.
- _tlsCertPolicy = sslConfig.tlsCertPolicy;
- if (sslConfig.tlsALPNProtocols) {
- _tlsAlpnProtocols = [[NSArray alloc] initWithArray:sslConfig.tlsALPNProtocols copyItems:YES];
- }
- if (sslConfig.tlsEllipticCurves) {
- _tlsEllipticCurves =
- [[NSArray alloc] initWithArray:sslConfig.tlsEllipticCurves copyItems:YES];
- }
+ _tlsAlpnProtocols = [[NSArray alloc] initWithArray:tlsAlpnProtocols copyItems:YES];
+ _tlsEllipticCurves = [[NSArray alloc] initWithArray:tlsEllipticCurves copyItems:YES];
}
return self;
}
- (NSString *)description {
- return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@",
+ return [NSString stringWithFormat:@"RTCIceServer:\n%@\n%@\n%@\n%@\n%@\n%@\n%@",
_urlStrings,
_username,
_credential,
+ [self stringForTlsCertPolicy:_tlsCertPolicy],
_hostname,
- _sslConfig];
+ _tlsAlpnProtocols,
+ _tlsEllipticCurves];
}
#pragma mark - Private
@@ -173,8 +149,6 @@
webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck;
break;
}
-
- iceServer.ssl_config = [_sslConfig nativeConfig];
return iceServer;
}
@@ -188,38 +162,34 @@
NSString *username = [NSString stringForStdString:nativeServer.username];
NSString *credential = [NSString stringForStdString:nativeServer.password];
NSString *hostname = [NSString stringForStdString:nativeServer.hostname];
- RTCSSLConfig *sslConfig = [[RTCSSLConfig alloc] initWithNativeConfig:nativeServer.ssl_config];
-
- if (!nativeServer.ssl_config.tls_alpn_protocols.has_value() &&
- !nativeServer.tls_alpn_protocols.empty()) {
- NSMutableArray *tlsALPNProtocols =
- [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()];
- for (auto const &proto : nativeServer.tls_alpn_protocols) {
- [tlsALPNProtocols addObject:[NSString stringForStdString:proto]];
- }
- sslConfig.tlsALPNProtocols = tlsALPNProtocols;
+ NSMutableArray *tlsAlpnProtocols =
+ [NSMutableArray arrayWithCapacity:nativeServer.tls_alpn_protocols.size()];
+ for (auto const &proto : nativeServer.tls_alpn_protocols) {
+ [tlsAlpnProtocols addObject:[NSString stringForStdString:proto]];
}
-
- if (!nativeServer.ssl_config.tls_elliptic_curves.has_value() &&
- !nativeServer.tls_elliptic_curves.empty()) {
- NSMutableArray *tlsEllipticCurves =
- [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()];
- for (auto const &curve : nativeServer.tls_elliptic_curves) {
- [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
- }
- sslConfig.tlsEllipticCurves = tlsEllipticCurves;
+ NSMutableArray *tlsEllipticCurves =
+ [NSMutableArray arrayWithCapacity:nativeServer.tls_elliptic_curves.size()];
+ for (auto const &curve : nativeServer.tls_elliptic_curves) {
+ [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
}
+ RTCTlsCertPolicy tlsCertPolicy;
- if (nativeServer.tls_cert_policy ==
- webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck) {
- sslConfig.tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
+ switch (nativeServer.tls_cert_policy) {
+ case webrtc::PeerConnectionInterface::kTlsCertPolicySecure:
+ tlsCertPolicy = RTCTlsCertPolicySecure;
+ break;
+ case webrtc::PeerConnectionInterface::kTlsCertPolicyInsecureNoCheck:
+ tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
+ break;
}
self = [self initWithURLStrings:urls
username:username
credential:credential
+ tlsCertPolicy:tlsCertPolicy
hostname:hostname
- sslConfig:sslConfig];
+ tlsAlpnProtocols:tlsAlpnProtocols
+ tlsEllipticCurves:tlsEllipticCurves];
return self;
}
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h b/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h
deleted file mode 100644
index 7a38edc..0000000
--- a/sdk/objc/api/peerconnection/RTCSSLConfig+Native.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#import "RTCSSLConfig.h"
-
-#include "api/peerconnectioninterface.h"
-#include "rtc_base/ssladapter.h"
-
-NS_ASSUME_NONNULL_BEGIN
-
-@interface RTCSSLConfig (Native)
-
-- (rtc::SSLConfig)nativeConfig;
-
-/** Initialize an RTCSSLConfig from a native SSLConfig. */
-- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config;
-
-@end
-
-NS_ASSUME_NONNULL_END
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.h b/sdk/objc/api/peerconnection/RTCSSLConfig.h
deleted file mode 100644
index 5421609..0000000
--- a/sdk/objc/api/peerconnection/RTCSSLConfig.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#import <Foundation/Foundation.h>
-
-#import <WebRTC/RTCMacros.h>
-
-typedef NS_ENUM(NSUInteger, RTCTlsCertPolicy) {
- RTCTlsCertPolicySecure,
- RTCTlsCertPolicyInsecureNoCheck
-};
-
-NS_ASSUME_NONNULL_BEGIN
-
-RTC_EXPORT
-@interface RTCSSLConfig : NSObject
-
-/** Indicates whether to enable OCSP stapling in TLS. */
-@property(nonatomic) BOOL enableOCSPStapling;
-
-/** Indicates whether to enable the signed certificate timestamp extension in TLS. */
-@property(nonatomic) BOOL enableSignedCertTimestamp;
-
-/** Indicates whether to enable the TLS Channel ID extension. */
-@property(nonatomic) BOOL enableTlsChannelId;
-
-/** Indicates whether to enable the TLS GREASE extension. */
-@property(nonatomic) BOOL enableGrease;
-
-/** Indicates how to process TURN server certificates */
-@property(nonatomic) RTCTlsCertPolicy tlsCertPolicy;
-
-/** Highest supported SSL version, as defined in the supported_versions TLS extension. */
-@property(nonatomic, nullable) NSNumber *maxSSLVersion;
-
-/** List of protocols to be used in the TLS ALPN extension. */
-@property(nonatomic, copy, nullable) NSArray<NSString *> *tlsALPNProtocols;
-
-/**
- List of elliptic curves to be used in the TLS elliptic curves extension.
- Only curve names supported by OpenSSL should be used (eg. "P-256","X25519").
- */
-@property(nonatomic, copy, nullable) NSArray<NSString *> *tlsEllipticCurves;
-
-- (instancetype)init;
-
-@end
-
-NS_ASSUME_NONNULL_END
diff --git a/sdk/objc/api/peerconnection/RTCSSLConfig.mm b/sdk/objc/api/peerconnection/RTCSSLConfig.mm
deleted file mode 100644
index 60ff47c..0000000
--- a/sdk/objc/api/peerconnection/RTCSSLConfig.mm
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Copyright 2018 The WebRTC project authors. All Rights Reserved.
- *
- * Use of this source code is governed by a BSD-style license
- * that can be found in the LICENSE file in the root of the source
- * tree. An additional intellectual property rights grant can be found
- * in the file PATENTS. All contributing project authors may
- * be found in the AUTHORS file in the root of the source tree.
- */
-
-#import "RTCSSLConfig+Native.h"
-
-#import "helpers/NSString+StdString.h"
-
-@implementation RTCSSLConfig
-
-@synthesize enableOCSPStapling = _enableOCSPStapling;
-@synthesize enableSignedCertTimestamp = _enableSignedCertTimestamp;
-@synthesize enableTlsChannelId = _enableTlsChannelId;
-@synthesize enableGrease = _enableGrease;
-@synthesize tlsCertPolicy = _tlsCertPolicy;
-@synthesize maxSSLVersion = _maxSSLVersion;
-@synthesize tlsALPNProtocols = _tlsALPNProtocols;
-@synthesize tlsEllipticCurves = _tlsEllipticCurves;
-
-- (instancetype)init {
- // Copy defaults
- rtc::SSLConfig config;
- return [self initWithNativeConfig:config];
-}
-
-- (instancetype)initWithNativeConfig:(const rtc::SSLConfig &)config {
- if (self = [super init]) {
- _enableOCSPStapling = config.enable_ocsp_stapling;
- _enableSignedCertTimestamp = config.enable_signed_cert_timestamp;
- _enableTlsChannelId = config.enable_tls_channel_id;
- _enableGrease = config.enable_grease;
-
- switch (config.tls_cert_policy) {
- case rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE:
- _tlsCertPolicy = RTCTlsCertPolicySecure;
- break;
- case rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK:
- _tlsCertPolicy = RTCTlsCertPolicyInsecureNoCheck;
- break;
- }
-
- if (config.max_ssl_version) {
- _maxSSLVersion = [NSNumber numberWithInt:*config.max_ssl_version];
- }
- if (config.tls_alpn_protocols) {
- NSMutableArray *tlsALPNProtocols =
- [NSMutableArray arrayWithCapacity:config.tls_alpn_protocols.value().size()];
- for (auto const &proto : config.tls_alpn_protocols.value()) {
- [tlsALPNProtocols addObject:[NSString stringForStdString:proto]];
- }
- _tlsALPNProtocols = tlsALPNProtocols;
- }
- if (config.tls_elliptic_curves) {
- NSMutableArray *tlsEllipticCurves =
- [NSMutableArray arrayWithCapacity:config.tls_elliptic_curves.value().size()];
- for (auto const &curve : config.tls_elliptic_curves.value()) {
- [tlsEllipticCurves addObject:[NSString stringForStdString:curve]];
- }
- _tlsEllipticCurves = tlsEllipticCurves;
- }
- }
- return self;
-}
-
-- (NSString *)description {
- return [NSString stringWithFormat:@"RTCSSLConfig:\n%d\n%d\n%d\n%d\n%@\n%@\n%@\n%@",
- _enableOCSPStapling,
- _enableSignedCertTimestamp,
- _enableTlsChannelId,
- _enableGrease,
- [self stringForTlsCertPolicy:_tlsCertPolicy],
- _maxSSLVersion,
- _tlsALPNProtocols,
- _tlsEllipticCurves];
-}
-
-#pragma mark - Private
-
-- (NSString *)stringForTlsCertPolicy:(RTCTlsCertPolicy)tlsCertPolicy {
- switch (tlsCertPolicy) {
- case RTCTlsCertPolicySecure:
- return @"RTCTlsCertPolicySecure";
- case RTCTlsCertPolicyInsecureNoCheck:
- return @"RTCTlsCertPolicyInsecureNoCheck";
- }
-}
-
-- (rtc::SSLConfig)nativeConfig {
- __block rtc::SSLConfig sslConfig;
-
- sslConfig.enable_ocsp_stapling = _enableOCSPStapling;
- sslConfig.enable_signed_cert_timestamp = _enableSignedCertTimestamp;
- sslConfig.enable_tls_channel_id = _enableTlsChannelId;
- sslConfig.enable_grease = _enableGrease;
-
- switch (_tlsCertPolicy) {
- case RTCTlsCertPolicySecure:
- sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_SECURE;
- break;
- case RTCTlsCertPolicyInsecureNoCheck:
- sslConfig.tls_cert_policy = rtc::TlsCertPolicy::TLS_CERT_POLICY_INSECURE_NO_CHECK;
- break;
- }
-
- if (_maxSSLVersion != nil) {
- sslConfig.max_ssl_version = absl::optional<int>(_maxSSLVersion.intValue);
- }
-
- if (_tlsALPNProtocols != nil) {
- __block std::vector<std::string> alpn_protocols;
- [_tlsALPNProtocols enumerateObjectsUsingBlock:^(NSString *proto, NSUInteger idx, BOOL *stop) {
- alpn_protocols.push_back(proto.stdString);
- }];
- sslConfig.tls_alpn_protocols = absl::optional<std::vector<std::string>>(alpn_protocols);
- }
-
- if (_tlsEllipticCurves != nil) {
- __block std::vector<std::string> elliptic_curves;
- [_tlsEllipticCurves enumerateObjectsUsingBlock:^(NSString *curve, NSUInteger idx, BOOL *stop) {
- elliptic_curves.push_back(curve.stdString);
- }];
- sslConfig.tls_elliptic_curves = absl::optional<std::vector<std::string>>(elliptic_curves);
- }
-
- return sslConfig;
-}
-
-@end
diff --git a/sdk/objc/unittests/RTCIceServerTest.mm b/sdk/objc/unittests/RTCIceServerTest.mm
index 7659196..8ef5195 100644
--- a/sdk/objc/unittests/RTCIceServerTest.mm
+++ b/sdk/objc/unittests/RTCIceServerTest.mm
@@ -89,7 +89,7 @@
EXPECT_EQ("username", iceStruct.username);
EXPECT_EQ("credential", iceStruct.password);
EXPECT_EQ("hostname", iceStruct.hostname);
- EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size());
+ EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size());
}
- (void)testTlsEllipticCurves {
@@ -106,8 +106,8 @@
EXPECT_EQ("username", iceStruct.username);
EXPECT_EQ("credential", iceStruct.password);
EXPECT_EQ("hostname", iceStruct.hostname);
- EXPECT_EQ(2u, iceStruct.ssl_config.tls_alpn_protocols.value().size());
- EXPECT_EQ(2u, iceStruct.ssl_config.tls_elliptic_curves.value().size());
+ EXPECT_EQ(2u, iceStruct.tls_alpn_protocols.size());
+ EXPECT_EQ(2u, iceStruct.tls_elliptic_curves.size());
}
- (void)testInitFromNativeServer {
@@ -129,8 +129,8 @@
EXPECT_EQ("username", [NSString stdStringForString:iceServer.username]);
EXPECT_EQ("password", [NSString stdStringForString:iceServer.credential]);
EXPECT_EQ("hostname", [NSString stdStringForString:iceServer.hostname]);
- EXPECT_EQ(2u, iceServer.sslConfig.tlsALPNProtocols.count);
- EXPECT_EQ(2u, iceServer.sslConfig.tlsEllipticCurves.count);
+ EXPECT_EQ(2u, iceServer.tlsAlpnProtocols.count);
+ EXPECT_EQ(2u, iceServer.tlsEllipticCurves.count);
}
@end
