Firefox WebRTC DTLS

[Sachin]

Hi All,

I am currently working with following setup. 

Scenario 1:  TURN server not forced

SipML5 on FireFox -> Asterisk WebRTC gateway 

Audio call happens successfully.

Scenario 2:  TURN server forced with iceTransportPolicy: "relay"

SipML5 on FireFox -> coTurn Turn Server  -> Asterisk WebRTC gateway 

Call fails. 

Only change here is TURN server is forced.  I checked the Wireshark packet capture in both scenarios. Attached the snapshots.

Asterisk server is 172.16.4.210

TURN is              172.16.4.205

FireFox               172.16.1.26 

In second scenario, FireFox keep sending "Server Hello" repeatedly. I am not able to figure out the reason. How to proceed further is figuring out the issue? Any pointers will be helpful.

Same setup works fine if Chrome is used instead of Firefox. 

Thanks in advance.

Thanks,

Sachin

[Ajay Choudary]

It looks like MTU issue, in working case certificate length is <1300.

So use the same certificates in second case and try again.

Or you can try configuring MTU limit in asterisk.

[Sachin]

Hi

Thanks for the reply. Certificate is same in both scenarios.  Only change is introduction of TURN server.  I will check the different frame length. 

One question, Does FireFox support TURN server? 

I enabled the FireFox debug logs as well. It also does not show any error or failure. 

Thanks,

Sachin

[Nils Ohlmeier]

Hello,

I think Ajay is right that appears to be some fragmentation issue. We recently fixed in Firefox to not send trusted CA certs from the client side. I would have to check in which version this got fixed. I assume you tested this with Firefox release. Could you test this with Firefox Nightly and get back to me if it still does not work with the latest Firefox Nightly. I’m happy to debug this more detailed if it still does not work.

Best

  Nils Ohlmeier

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/c4cf7802-b142-4c8e-b371-a647e78969a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sachin]

Hi

Yes it seems to be fragmentation issue. I referred https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial to create the certificate. Initially script "ast_tls_cert" was having 4096 as key length. Later I changed it to 2048 which reduced the certificate size. 

With this change, it worked. 

One thing I have not understood is how introduction of TURN server causing fragmentation issue? 

Thanks,

Sachin

[Nils Ohlmeier]

Hi Sachin,

One possibility of what’s happening is that TURN needs to add an extra header on side of the client which allocated the relay. As Firefox uses the Send mechanism and not a channel bind the overhead is quite a bit. So if Asterisk sends it’s cert split up into 1500 bytes (assuming default Ethernet MTU’s here) to your coTurn server, I’m not sure how coTurn is going to pass these 1500 bytes down to Firefox without fragmenting it.

If you could provide me a tcpdump from the machine which runs coTurn I’ll be happy to have a more detailed look.

Best

  Nils Ohlmeier

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/6618eb84-7a9a-4507-a944-69d7ca34435e%40googlegroups.com.