SSL routines:dtls1_read_bytes:tlsv1 alert unknown ca

138 views
Skip to first unread message

Lucio Cosmo

unread,
Feb 7, 2017, 10:54:32 AM2/7/17
to discuss-webrtc

Hi everyone.


We're developing our own WebRTC endpoint to establish communication from a c++ application to chrome.


ICE exchange is ok.

STUN exchange is someway ok.


Browser connection is either https://localhost or http://localhost with websockets configured in ws://localhost or wss://localhost accordingly. 


For development only purpose we would like to use self signed certificates which we manually trust from the ui.


However, we can't figure how to specify in Chrome to ignore "unknown certification authorities" if this is the problem below.

The DTLS conversation on UDP starts but never reach end of handshake. 



[2017-02-07 16:20:59 003496] UDP RX 100 Bytes

[2017-02-07 16:20:59 003496] UDP RX 163 Bytes

[2017-02-07 16:20:59 003496] UDP TX DTLS reply 1676 Bytes

[2017-02-07 16:20:59 003496] UDP RX 15 Bytes

[2017-02-07 16:20:59 003496] SSL_ERROR_SSL error:14102418:SSL routines:dtls1_read_bytes:tlsv1 alert unknown ca


Is it correct to interpret this as "chrome is not trusting our service" because the server certificate's ca is not valid ?

Is it possible to configure WebRTC instance in the webpage to ignore unknown certificates for development ?


At the moment we get this errore for both http / https connections.


The best would be tear off all security layers for development, we did not find working examples or guides.

Thanks for any advice

L

Lucio Cosmo

unread,
Feb 12, 2017, 4:55:24 PM2/12/17
to discuss-webrtc
Hi All

We found the problem. We did not pass the correct DTLS certificate FINGERPRINT in SDL answer.
Going without certificates or security is not faisable even for development only.

Still, we cant check the message integrity in stun request, but our stun reply seems to have correct fingerprint and message integrity.
The dtls conversation is established and srtp exchange starts with interesting and comprehensible packets.

The Chrome logs are not so much verbose to understand this specific problem.

Regards,
Lucio

Taylor Brandstetter

unread,
Feb 12, 2017, 5:20:04 PM2/12/17
to discuss-webrtc
It sounds like you encountered this issue: https://bugs.chromium.org/p/webrtc/issues/detail?id=7044

The "unknown ca" error is incorrect; Chrome should be producing "bad certificate" (I believe).

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/f8825f86-da86-4c52-bc14-25ef032fc781%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Lucio Cosmo

unread,
Feb 12, 2017, 5:35:32 PM2/12/17
to discuss-webrtc
Exactly.

And a "unknown CA" was suggesting us we were using non correct certificate during development. That's why we wanted a way to test everything with security turned off. After some source code reading, and specs re-read we got this. 

Within all this, chrome flooding with STUN messages does not really help.

If can be of interest

- until STUN response is wrong, Chrome floods of stun requests
- until DTLS hanshake, Chrome sends stun requests about 2 each second
- when DTLS handshake is correct, the streaming audio starts being streamed and received as SRTP.


The whole handshake flow is very complex.

Lucio
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages