I'm doing a research and pilot project on WebRTC (browser/JavaScript based) and I'm now looking into the security implementation of it.
I understand (please correct me otherwise) that the DTLS-SRTC implements an encryption mechanism and I can only find references to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
I also got to think that any STUN/TURN servers in between are not taking part to the encryption mechanism so that the payload will simply pass untouched via a TURN server.
This make me asking if it is possible to set and chose among a list of available cyphers and key length for WebRTC in a browser/JavaScript solution... or if TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the only one.
If the cypher/key length can be set, can you please advice on how to do it in JavaScript or point to some specific documentation for achieving that?
First I want to answer your direct questions, the notes on things that weren't asked explicitly.
You are correct that TURN doesn't provide security to the WebRTC session. When a TURN server is used the data is already encrypted when it passes through the TURN server. The TURN server can't modify or inspect the data flowing through it.
You can't control the CipherSuites via Javascript. No APIs exist for that today.
Browser's offer multiple DTLS and SRTP CipherSuites. Here is the list that FireFox 98 uses.
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
and these are the SRTP CipherSuites
SRTP Protection Profile: SRTP_AEAD_AES_128_GCM (0x0007)
SRTP Protection Profile: SRTP_AEAD_AES_256_GCM (0x0008)
SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_80 (0x0001)
SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_32 (0x0002)
WebRTC uses two CipherSuites. One is for DTLS and one for SRTP. DTLS is for DataChannel messages and SRTP is for Media.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
is a TLS CipherSuite (not a SRTP CipherSuite).
The only way you can have any control over the CipherSuite is by running a WebRTC implementation that isn't in the browser. A WebRTC server/client of your choosing could provide APIs to change these.
WebRTC for the Curious#Securing could also be helpful. It touches on the points in this answer a bit deeper.