Enabling DTLS

4 min

overview datagram transport layer security (dtls) is a communications protocol that provides security for datagram based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery the dtls protocol is based on the stream oriented transport layer security (tls) protocol and is intended to provide similar security guarantees zixi supports dtls encryption and identity authentication this feature can be used in conjunction with static key aes scrambling for end to end encryption dtls encryption can be configured on any input or output udp port on the zixi broadcaster this feature is activated and configured in the settings screen a dtls server is configured using certificate and private key files in x 509 pem format, similar to the files used to enable an https server to enable dtls encryption in the zixi broadcaster navigation, click settings the settings page opens showing the general tab under the general section, click on the https and dtls streaming certificate section heading to expand that section the https and dtls streaming certificate settings are shown next to the certificate uploaded field, click upload dtls settings browse to find your certificate file, select it and click open in the private key uploaded field, click upload browse to find your private key file, select it and click open in the private key passphrase field, type a passphrase, if one exists verify that there is a green yes next to both upload buttons any live or active streaming will be affected upon restarting the service click restart now or restart later you can verify dtls status on your streams in 2 ways there will be a gold lock on the green connected status icon when you mouseover the green connected status icon, an informational popup will present the dtls certificate issuance information including expiration creating a self signed certificate there are various ways to obtain ssl/tls certificates, but for a standalone broadcaster, you can also create a self signed certificate using openssl openssl may already be installed on your system, but if not, you can see a list of av available binaries to install at https //github com/openssl/openssl/wiki/binaries during the creation of your certificate, you will be prompted for the following information a passphrase for the certificate be sure to remember what it is! the two letter code for your country (such as us or fr) if you don't know the code, you can look it up at https //knowledge digicert com/general information/ssl certificate country codes the full state or province name within that country (such as massachusetts) the locality name, typically a city such as boston organization name, such as zixi organizational unit name, such as documentation your name or a fully qualified domain name (fqdn), such as zixi com your email address once openssl is installed, you can create a certificate by running a command like this // sample command see openssl help for options // note that the pem files will be created in the directory where you run this command openssl req x509 newkey rsa 2048 keyout selfsigned key pem out selfsigned cert pem after the pem files are created, you can upload them and enter the passphrase in the broadcaster settings as described above