On Saturday, 28 January 2017 05:49:38 UTC+5:30, ushun...@gmail.com wrote: > Hi, I am encountering a WebRTC DTLS issue with Firefox 51 and our WebRTC > gateway, which didn't happen with the previous version 50. This only happens > when Firefox initiates the call (it works fine when the gateway initiates the > call). The gateway, after exchanging the Client/Server Hello messages, is > trying to read the server certificate, when it gets an "internal error" from > OpenSSL (version 1.0.1g is being used). This results in a fatal alert to be > sent back to Firefox. > > I went through the release notes at > https://developer.mozilla.org/en-US/Firefox/Releases/51, but I didn't see any > relevant changes. Does anyone have any idea what could be happening in this > case? Any pointers will be appreciated. > > Thanks! > Uma Hi Uma,
The issue you are facing is due to the new changes in NSS crypto library update on Firefox 51, where they have made ECDH named curve X25519 as the default curve for DTLS negotiation(https://hg.mozilla.org/mozilla-central/diff/494e0af296f6/media/mtransport/transportlayerdtls.cpp), the openssl version(1.0.1g) you are using does not support X25519 named curve, so if you do not publish any named curve support in Client Hello from your server Firefox will use X25519 to create the DTLS connection and it will fail. To fix it either can update the openssl version on your server to 1.1.1 or use SSL_CTX_set1_curves(https://wiki.openssl.org/index.php/Manual:SSL_CTX_set1_curves(3)) API in your DTLS implementation to set named curves while creating Client Hello (refer the code diff link I mentioned to check the supported named curve list) Thanks Prerak _______________________________________________ dev-media mailing list dev-media@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-media
