Repository files navigation

Secure UDP communications using Datagram Transport Layer Security protocol version 1.2 inpure js. FollowRFC6347,RFC7627.

• no native dependecies!
• modern secure ciphers (by default)
• in-out fragmentation / in-out retransmission
• merge outgoing handshakes

npm i @nodertc/dtls

constdtls=require('@nodertc/dtls');constsocket=dtls.connect({type:'udp4',remotePort:4444,remoteAddress:'127.0.0.1',});socket.on('error',err=>{console.error(err);});socket.on('data',data=>{console.log('got message "%s"',data.toString('ascii'));socket.close();});socket.once('connect',()=>{socket.write('Hello from Node.js!');});

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (nodejs v11.2+ only)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (nodejs v11.2+ only)
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 (nodejs v11.2+ only)
• TLS_PSK_WITH_AES_128_GCM_SHA256
• TLS_PSK_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256

• dtls.connect(options: Options [, callback: function]) : Socket

Creates an esteblished connection to remote dtls server. Aconnect() function also accept all options forunicast.createSocket() ordgram.createSocket(). Ifoptions.socket is provided, these options will be ignored.

Thecallback function, if specified, will be added as a listener for the 'connect' event.

• options.socket

Aduplex stream in a common case. It is alsounicast ordgram socket instance. Used if you want a low level control of your connection.

• options.extendedMasterSecret: bool, [default=true]

This option enable the useExtended Master Secret extension. Enabled by default.

• options.checkServerIdentity: function(certificate): bool

Optional certificate verify function.

• options.certificate: Buffer

PEM-encoded client certificate, optional. Supports RSASSA-PKCS1-v1_5 and ECDSA certificates.

• options.certificatePrivateKey: Buffer

PEM-encoded private key for client certificate.

• options.maxHandshakeRetransmissions: number

The number of retransmissions during on handshake stage.

• options.alpn: string | string[]

The list of the supported ALPN protocols.

• options.pskIdentity: String|Buffer

Identity string for PSK key exchange, seeRFC4279.

• options.pskSecret: String|Buffer

Secret data for the identity string of PSK key exchange.

• options.ignorePSKIdentityHint: boolean, default=true

Both clients and servers may have pre-shared keys with several different parties. The client indicates which key to use by including a "PSK identity" (seeoptions.pskIdentity above) in the ClientKeyExchange message. To help the client in selecting which identity to use, the server can provide a "PSK identity hint" in the ServerKeyExchange message.

• options.cipherSuites: number[]|string[]

List of supported by client cipher suites. Default cipher suites:

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (in nodejs v11+ only)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (in nodejs v11+ only)
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

See above a full list of supported cipher suites.

• class Socket

ASocket is also aduplex stream, so it can be both readable and writable, and it is also aEventEmitter.

• Socket.setMTU(mtu: number): void

Set MTU (minimal transfer unit) for this socket, 1420 bytes maximal.

• Socket.getMTU(): number

Return MTU (minimal transfer unit) for this socket, 1200 bytes by default.

• Socket.setTimeout(timeout: number[, callback: function()])

Sets the socket to timeout after timeout milliseconds of inactivity on the socket. By defaultdtls.Socket do not have a timeout.

The optional callback parameter will be added as a one-time listener for the 'timeout' event.

• Socket.close(): void

Close socket, stop listening for socket. Do not emitdata events anymore.

• Socket.alpnProtocol: string

Get a string that contains the selected ALPN protocol.

• Event: connect

The 'connect' event is emitted after the handshaking process for a new connection has successfully completed.

• Event: timeout

Emitted if the socket times out from inactivity. This is only to notify that the socket has been idle.

• dtls.constants: Object
  • cipherSuites: ObjectA full list supported cipher suites. See above for detailes.

Start dtls server:

docker run -it --name dtlsd --rm -e"GNUTLS_DEBUG_LEVEL=2" -e"PRIORITY=NORMAL:+AEAD:+ECDHE-RSA:+VERS-DTLS1.2" -e"KEYFILE=key-rsa.pem" -e"CERTFILE=cert-rsa.pem" -p 4444:4444/udp nodertc/dtls-server:1

Start default client:

npm start

MIT, 2018 - 2019 © Dmitriy Tsvettsikh