Comments (10)
Perfect, thank you @diagonalfish
I was able to reproduce this, and will be working on this. I will update you when I know the exact issue and then when I push a fix.
Thanks for using Pion DTLS!
from dtls.
I download and compiled the latest OpenSSL (1.1.0j) and it appears to not be affected by this problem. I am not sure if this is a bug in OpenSSL or some other subtle incompatibility that was resolved in 1.1.0+.
from dtls.
@diagonalfish thanks for the report!
I will run 1.0.2k
and check it out. Does CentOS 7 ship that by default? (just looking for the easiest way to test) vs building it myself.
I can also help debug quicker if you can spew.Dump
at client_handlers.go:91 and get a pcap of all udp traffic. If you don't have time totally understand though!
clientRandom
serverRandom
expectedHash
h
c
from dtls.
Yes, it is the default in the current version of CentOS 7 (7.6.1810 at time of writing). The full package version is openssl-1.0.2k-16.el7.
from dtls.
Here is a spew of all the variables you wanted to see: https://gist.github.com/diagonalfish/ed5c393f73b5b76444ba66f5285b37f1
pcap's a bit harder because I'm communicating on localhost but here's the OpenSSL debug output which includes packet hex dumps: https://gist.github.com/diagonalfish/836cac3938221c10a4f966995b6ca927
from dtls.
I was able to get OpenSSL as a client and Pion DTLS working as a server with this patch
[root@b71a7b964168 dtls]# git diff
diff --git a/server_handlers.go b/server_handlers.go
index 034471e..9344608 100644
--- a/server_handlers.go
+++ b/server_handlers.go
@@ -167,9 +167,6 @@ func serverFlightHandler(c *Conn) (bool, error) {
&extensionSupportedEllipticCurves{
ellipticCurves: []namedCurve{namedCurveX25519, namedCurveP256},
},
- &extensionUseSRTP{
- protectionProfiles: []srtpProtectionProfile{SRTP_AES128_CM_HMAC_SHA1_80},
- },
&extensionSupportedPointFormats{
pointFormats: []ellipticCurvePointFormat{ellipticCurvePointFormatUncompressed},
},
I will get this patch into master. We should conditionally support getting/setting extensions like crypto/tls
but I just defaulted them because I only was concerned about pion-WebRTC at the time.
Still working on pion DTLS as a client. This is probably the most frustrating part, it is just in hash verification, if you do this everything works. You can do this if you want to be unblocked, but definitely don't ship with this. I am sure this is just an off-by-one somewhere, but really tough to debug this part with OpenSSL.
diff --git a/client_handlers.go b/client_handlers.go
index 7cb5225..fa0fae6 100644
--- a/client_handlers.go
+++ b/client_handlers.go
@@ -86,10 +86,10 @@ func clientHandshakeHandler(c *Conn) error {
return err
}
- expectedHash := valueKeySignature(clientRandom, serverRandom, h.publicKey, c.namedCurve, h.hashAlgorithm)
- if err := verifyKeySignature(expectedHash, h.signature, c.remoteCertificate); err != nil {
- return err
- }
+ // expectedHash := valueKeySignature(clientRandom, serverRandom, h.publicKey, c.namedCurve, h.hashAlgorithm)
+ // if err := verifyKeySignature(expectedHash, h.signature, c.remoteCertificate); err != nil {
+ // return err
+ // }
}
case *handshakeMessageCertificateRequest:
from dtls.
Sorry - was out last week and didn't see this. I appreciate the work you've put into this so far. If there's anything else I can do to help let me know.
from dtls.
Hey good news @diagonalfish this is all fixed! Can you try out my branch when you get a chance? #37
I will merge into master if it all works, thanks!
from dtls.
Can confirm that the issue-32 branch solves the problem. Excellent :)
from dtls.
Fantastic, merged!
Thanks again for the bug report. If there is every anything else I am all ears, hopefully the package is easy to use :)
Also feel free to join us in Slack! Most people are talking about pions/webrtc but always happy to help debug/discuss anything.
from dtls.
Related Issues (20)
- Handshake failed. Broken by #398 "Server chooses cipher suite not matching its certificate"
- Add support for ECDHE_PSK ciphers
- Server side only certs - openssl client - wrong certificate type HOT 2
- Change how we do temporary errors to match upstream HOT 1
- HelloRequest Handshake Type Support HOT 1
- Set sessionId in clienthello HOT 3
- Ed25519 keys are not fully supported. HOT 6
- E2E tests deadlock and consumes tons of CI minutes HOT 2
- Handshaker doesn't handle "Read retransmit" event HOT 1
- DTLS server does not handle retransmits of the client's last flight HOT 2
- not close udp conn when dtls handshake failed?
- Add Config.VerifyConnection callback
- noise feature? HOT 2
- Port old fuzzing code to Go's new fuzzing tools
- Connection timeout ignores configured context timeout HOT 6
- Allow supplying external crypto.Signer for TLS signature HOT 4
- OpenSSL E2E Tests are broken in Go 1.20 HOT 1
- Completed Handshake process without any certificate sent by the client HOT 5
- when connecting new listener, bind:already in use error occurs HOT 2
- about pmtu and message too long error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dtls.