>
> That second layer isn't a stylistic preference; it's a hard requirement of
>> the motivating use case. In WebRTC, DTLS records are multiplexed with other
>> protocols on the *same* UDP 5-tuple: STUN (ICE) and SRTP/SCTP (media/data)
>> share one socket and are demultiplexed by the application from the first
>> byte of each datagram (RFC 7983 / RFC 5764). A 'dtls://' stream that owns
>> its socket can't serve that, since it would swallow the STUN and SRTP/SCTP
>> packets too, with nowhere for the application to route them. The same holds
>> for anything that shares a transport with DTLS.
>>
>>
> We are actually looking to the IO hooks where we plan to add support for
> IO offloading which would basically need to use custom SSL BIO . It was
> initially meant for io_uring but if allowed limitation per stream, then it
> should cover your use without exposing some extra unnecessary class.
>
Just a little follow up on this. I spoke with Arnaud, who is working on IO
hooks, and he got actually a better idea that we could allow using user
stream wrapper as an underlaying stream which would cover this much better.
So it could be used like this:
$transport = fopen("my-dtls-transport://...");
stream_socket_enable_crypto($transport, true,
STREAM_CRYPTO_METHOD_DTLS_CLIENT);
fwrite($transport, "some data");
It means that for your use case, we will probably
need stream_socket_enable_crypto. This will still need a custom BIO and
might not be completely straight forward so not something to look now. Just
keep that in mind.
Kind regards,
Jakub