ossrs · JackLau1222 · Jun 28, 2025 · Jun 28, 2025 · Jun 18, 2025 · Jun 10, 2025
diff --git a/doc/muxers.texi b/doc/muxers.texi
@@ -3915,16 +3915,37 @@ Default value is 5000.
 
 @item pkt_size @var{integer}
 Set the maximum size, in bytes, of RTP packets that send out.
-Default value is 1500.
+Default value is 1200.
 
 @item authorization @var{string}
-The optional Bearer token for WHIP Authorization.
+Optional Bearer token for WHIP Authorization.
 
 @item cert_file @var{string}
-The optional certificate file path for DTLS.
+Optional certificate file path for DTLS.
 
 @item key_file @var{string}
-The optional private key file path for DTLS.
+Optional private key file path for DTLS.
+
+@item whip_flags @var{flags}
+Possible values:
+
+@table @samp
+@item ignore_ipv6
+Ignore any IPv6 ICE candidates.
+
+@item disable_rtx
+Disable RFC 4588 RTX (Retransmission) support.
+This disables the retransmission mechanism for lost RTP packets.
+
+@item dtls_active
+Set DTLS role as active (client role) instead of passive (server role).
+By default, WHIP uses passive DTLS role, but some servers may require active role.
+@end table
+
+@item rtx_history_size @var{integer}
+Set the packet history size for RTX (retransmission) support.
+This determines how many recent RTP packets are kept in memory for potential
+retransmission requests. Range is 64 to 2048, default is 256.
 
 @end table
 

diff --git a/doc/protocols.texi b/doc/protocols.texi
@@ -2028,6 +2028,84 @@ To play back a stream from the TLS/SSL server using @command{ffplay}:
 ffplay tls://@var{hostname}:@var{port}
 @end example
 
+@section dtls
+
+Datagram Transport Layer Security (DTLS)
+
+The required syntax for a DTLS URL is:
+@example
+dtls://@var{hostname}:@var{port}
+@end example
+
+DTLS shares most options with TLS, but operates over UDP instead of TCP.
+The following parameters can be set via command line options
+(or in code via @code{AVOption}s):
+
+@table @option
+
+@item ca_file, cafile=@var{filename}
+A file containing certificate authority (CA) root certificates to treat
+as trusted. If the linked TLS library contains a default this might not
+need to be specified for verification to work, but not all libraries and
+setups have defaults built in.
+The file must be in OpenSSL PEM format.
+
+@item tls_verify=@var{1|0}
+If enabled, try to verify the peer that we are communicating with.
+Note, if using OpenSSL, this currently only makes sure that the
+peer certificate is signed by one of the root certificates in the CA
+database, but it does not validate that the certificate actually
+matches the host name we are trying to connect to.
+
+This is disabled by default since it requires a CA database to be
+provided by the caller in many cases.
+
+@item cert_file, cert=@var{filename}
+A file containing a certificate to use in the handshake with the peer.
+(When operating as server, in listen mode, this is more often required
+by the peer, while client certificates only are mandated in certain
+setups.)
+
+@item key_file, key=@var{filename}
+A file containing the private key for the certificate.
+
+@item cert_pem=@var{string}
+A PEM-encoded certificate string to use in the handshake with the peer.
+
+@item key_pem=@var{string}
+A PEM-encoded private key string for the certificate.
+
+@item listen=@var{1|0}
+If enabled, listen for connections on the provided port, and assume
+the server role in the handshake instead of the client role.
+
+@item mtu=@var{size}
+Set the Maximum Transmission Unit (MTU) for DTLS packets.
+
+@item use_srtp=@var{1|0}
+Enable the use_srtp DTLS extension.
+This is used in WebRTC applications to establish SRTP encryption keys
+through the DTLS handshake. Default is disabled.
+
+@item external_sock=@var{1|0}
+Use an external socket instead of creating a new one. Default is disabled.
+
+@end table
+
+Example command lines:
+
+To create a DTLS server:
+
+@example
+ffmpeg -listen 1 -i dtls://@var{hostname}:@var{port} @var{output}
+@end example
+
+To create a DTLS client and send data to server:
+
+@example
+ffmpeg -i @var{input} -f @var{format} dtls://@var{hostname}:@var{port}
+@end example
+
 @section udp
 
 User Datagram Protocol.

diff --git a/libavformat/tls.h b/libavformat/tls.h
@@ -33,17 +33,6 @@
  */
 #define MAX_CERTIFICATE_SIZE 8192
 
-enum DTLSState {
-    DTLS_STATE_NONE,
-
-    /* Whether DTLS handshake is finished. */
-    DTLS_STATE_FINISHED,
-    /* Whether DTLS session is closed. */
-    DTLS_STATE_CLOSED,
-    /* Whether DTLS handshake is failed. */
-    DTLS_STATE_FAILED,
-};
-
 typedef struct TLSShared {
     char *ca_file;
     int verify;
@@ -62,8 +51,7 @@ typedef struct TLSShared {
     URLContext *tcp;
 
     int is_dtls;
-
-    enum DTLSState state;
+    int use_srtp;
 
     /* The certificate and private key content used for DTLS handshake */
     char* cert_buf;
@@ -90,6 +78,7 @@ typedef struct TLSShared {
     {"listen",     "Listen for incoming connections",     offsetof(pstruct, options_field . listen),    AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
     {"http_proxy", "Set proxy to tunnel through",         offsetof(pstruct, options_field . http_proxy), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"external_sock", "Use external socket",              offsetof(pstruct, options_field . external_sock), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
+    {"use_srtp", "Enable use_srtp DTLS extension",        offsetof(pstruct, options_field . use_srtp), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
     {"mtu", "Maximum Transmission Unit", offsetof(pstruct, options_field . mtu), AV_OPT_TYPE_INT,  { .i64 = 0 }, 0, INT_MAX, .flags = TLS_OPTFL}, \
     {"cert_pem",   "Certificate PEM string",              offsetof(pstruct, options_field . cert_buf),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"key_pem",    "Private key PEM string",              offsetof(pstruct, options_field . key_buf),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
@@ -103,8 +92,6 @@ int ff_tls_set_external_socket(URLContext *h, URLContext *sock);
 
 int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz);
 
-int ff_dtls_state(URLContext *h);
-
 int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint);
 
 int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint);