insecure_skip_verify set to true in dtls_transport::prepare_transport about webrtc HOT 3 CLOSED

I am no expert in WebRTC or DTLS-SRTP but I think it is intended. It is intended because SRTP certificates are generated ad-hoc and are not signed by a certificate authority like Verisign or Comodo or ISRG. They are essentially temporary certificates, there is no reason to verify their chain. Their fingerprints should be verified manually, not their chain. They are essentially self-signed with a fingerprint which you can use to verify.
It is how it works because it does not make sense from a CA to issue SRTP certificates as they are P2P and not everyone essentially has an organization, domain name or an email address (which they will then have to reveal to the other peer, to add it to the injury...). SRTP essentially uses DTLS with a self-signed certificate which is verified through other means than a root of trust, more signatures and more signature chains, which are the typical setup in TLS (but not DTLS, in my opinion based on observations, DTLS-SRTP handshakes far outnumber the normal (non-SRTP) DTLS usage).

from webrtc.

Thank you, that makes perfect sense! I was confused since skip_verify sounds like it'll skip all verification, but I guess is obvious what it means for someone with domain knowledge ;-)

from webrtc.

Just to add a bit of information for anyone else confused as I was. Before establishing a connection, a webrtc endpoints generates a key and a self-signed certificate, hashes the certificate into a fingerprint, and puts the fingerprint in the SDP fingerprint attribute. SDP is then exchanged through the signaling server with other endpoints.

When the endpoint setup a DTLS connection, it accept any certificate (and doesn't verify the certificate chain, since everyone is using self-signed certificate). After the connection is established, the endpoint will verify the certificate sent by the other party against the fingerprint they received from SDP.

from webrtc.