subject:"DTLS 1.1 failure when Firefox 51 is initiating a call"

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-02-06 Thread ushunmugan

Thanks!  I suppose that it's too late for Firefox 52, which is beta now.

BTW, I've already verified the fix on developer (53.0a2) and Nightly (54) 
versions.

___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-02-02 Thread Martin Thomson

On Fri, Feb 3, 2017 at 2:51 AM,   wrote:
> @Martin Thomson  Thank you for the info.  Do you know which version of 
> Firefox this fix will land on?

Firefox 53.  https://bugzilla.mozilla.org/show_bug.cgi?id=1317947
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-02-02 Thread ushunmugan

@Martin Thomson  Thank you for the info.  Do you know which version of Firefox 
this fix will land on?

@Prerak Jain  Thank you.
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-02-01 Thread prerak jain

On Thursday, 2 February 2017 01:54:23 UTC+5:30, ushun...@gmail.com  wrote:
> Hi Prerak,
> 
> Thank you much for the info. When I made the client create an RSA P-256 
> certificate and use it in PeerConnection (in fact, this is required with 
> Chrome 52 and later, when using OpenSSL 1.0.1g, for e.g.), it still didn't 
> work, but the cipher suite used was the same as in the working case.  
> However, I could see that the ECDH named curve used in Server Key Exchange 
> was ecdh_x25519 (0x001d) - as you have noted, compared to secp256r1 (0x0017) 
> in the working case. I also don't see any named curves specified in Client 
> Hello.  Note that secp256r1 is one of the curves supported by Firefox, 
> according to the code diff you've pointed out.  Also note that DTLS works 
> fine when Firefox receives a call, and acts as a client.
> 
> It looks like that SSL_CTL_set1_curves() is only available from OpenSSL 
> 1.0.2.  FYI, we are already using 
> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1), followed by 
> SSL_CTX_set_tmp_ecdh() to set the curve name - this was required  a while ago 
> after Firefox made some changes on this regard. Other than updating OpenSSL, 
> is there any other way to have the supported named curves listed in the 
> Client Hello?
> 
> Thank,
>  Uma

I was using the same openssl API you mentioned 
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1), it works only in case when your 
server is acting as DTLS server thats why it works when Firefox acts as the 
DTLS client. This API doesn't add named_curve field in Client Hello message, so 
had to upgrade openssl to 1.0.2 to unblock WebRTC Firefox calls. So either you 
can wait for the fix Martin has mentioned or upgrade openssl to at least 1.0.2.
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-02-01 Thread Martin Thomson

On Thu, Feb 2, 2017 at 11:37 AM,   wrote:
> BTW, it seems to me that Firefox should be using a more widely used ECDH 
> named curve, such as secp256r1, when the Client Hello does not list the 
> supported named curves. This would make Firefox more compatible with older 
> implementations. I suppose security and speed may be factor here, but isn't 
> it a bit too soon to make this change?

This is in fact how Firefox will operate in future.  The error, that
exists in Firefox 51 (and maybe 52) is that we assume support for all
of the groups that are enabled on the server.  That will not be the
case soon, we will only assume support of P-256.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1330612
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-01-30 Thread ushunmugan

Thanks, Nils.  I captured the DTLS message exchanges for the working and 
failing cases using Wireshark.  I mainly see two differences.
1. In the working case (Firefox 50.1.0), I see a "Server Hello Done" message 
from Firefox first, before a "Server Hello" along with Certificate, Server Key 
Exchange, and Certificate Request records in the same message. 
In the failing case, the Server Hello Done is sent at the end in the same 
message, after Certificate Request (which actually makes more sense?).

2. In the working case, the cipher suite used is: 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013), compared with 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) in the failing case.

It's more likely that the 2nd difference is causing the issue.  I see that this 
and other ECDSA ciphers listed in the Client Hello in both cases. I tried 
disabling ECDSA in the gateway using the cipher list "DEFAULT:!aECDSA:!ECDSA" 
in SSL_CTX_set_cipher_list(), but to no avail - I still see the ECDSA ciphers 
in the Client Hello.

Nils, I'll send you the pcap files for these two cases too.

Please let me know if you have any suggestions.

Cheers,
 Uma

___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

2017-01-27 Thread Nils Ohlmeier

Hi Uma,
> On Jan 27, 2017, at 15:42, ushunmu...@gmail.com wrote:
> 
> Hi, I am encountering a WebRTC DTLS issue with Firefox 51 and our WebRTC 
> gateway, which didn't happen with the previous version 50.  This only happens 
> when Firefox initiates the call (it works fine when the gateway initiates the 
> call).  The gateway, after exchanging the Client/Server Hello messages, is 
> trying to read the server certificate, when it gets an "internal error" from 
> OpenSSL (version 1.0.1g is being used).  This results in a fatal alert to be 
> sent back to Firefox.
> 
> I went through the release notes at 
> https://developer.mozilla.org/en-US/Firefox/Releases/51, but I didn't see any 
> relevant changes.  Does anyone have any idea what could be happening in this 
> case?  Any pointers will be appreciated.

I’m not aware of any changes in regards to DTLS in the WebRTC implementation of 
Firefox. Our crypto library NSS might have changed.

I would recommend to take a Wireshark trace of the working and the failing 
scenario and compare the two.
Feel free to send me copies of the two files and I’ll have a look as well.

Best
  Nils Ohlmeier


signature.asc
Description: Message signed with OpenPGP
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

DTLS 1.1 failure when Firefox 51 is initiating a call

2017-01-27 Thread ushunmugan

Hi, I am encountering a WebRTC DTLS issue with Firefox 51 and our WebRTC 
gateway, which didn't happen with the previous version 50.  This only happens 
when Firefox initiates the call (it works fine when the gateway initiates the 
call).  The gateway, after exchanging the Client/Server Hello messages, is 
trying to read the server certificate, when it gets an "internal error" from 
OpenSSL (version 1.0.1g is being used).  This results in a fatal alert to be 
sent back to Firefox.

I went through the release notes at 
https://developer.mozilla.org/en-US/Firefox/Releases/51, but I didn't see any 
relevant changes.  Does anyone have any idea what could be happening in this 
case?  Any pointers will be appreciated.

Thanks!
 Uma
___
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

Re: DTLS 1.1 failure when Firefox 51 is initiating a call

DTLS 1.1 failure when Firefox 51 is initiating a call

8 matches

Site Navigation

Mail list logo

Footer information