Handshake failures with Chrome 51 and/or 52

[Lorenzo Miniero]

Hi all,

in case you're experiencing DTLS handhake errors when using Janus with Chrome 51 and/or 52 (and some already did), the cause is that Chrome now apparently seems to sometime demand support for elliptic curves when negotiating a WebRTC PeerConnection. Not sure if this is a feature or a bug, as it happened on Chrome for Linux for me some time ago, but didn't for a Windows release of the same browser version. Now it seems to happen for some Windows releases too. Not sure about Mac OS.

Anyway, if you're getting it, there is a fix, and it is to update OpenSSL on the machine where Janus is deployed. This is not a problem at all if you're already using OpenSSL 1.0.1g or older for Janus, but if you're using a previous version (e.g., our affected servers had 1.0.1f) this will result in the mentioned DTLS handshake failures for those new Chrome versions, and so calls won't start. You can fix that by either upgrading the OpenSSL version in your distro (e.g., to 1.0.2d), which is typically the recommended procedure, or switching to BoringSSL, installing it as suggested in the README and rebuild Janus.

Lorenzo

[Laurent Denoue]

I noticed Janus now fails to work between Chrome 52 and Firefox.

Or when I feed a screen sharing session into Firefox or Chrome 52, Janus is not able to record (but still records well Firefox webcam streams).

I've upgraded my openSSL to 1.0.1g and recompiled and reinstalled Janus using the latest commits.

Still having the same issue.

I'm suspecting it's a codec issue, perhaps around H264?

Any idea?

Laurent

[Lorenzo Miniero]

Check the admin API for info on the handle that's broken for you. If it's not DTLS related, please open another post, as this is only for notifying people about the need to upgrade openssl in case of handshake issues.

L.

[Laurent Denoue]

I see this in my log:

[WARN] [1539717863]     Missing valid SRTP session (packet arrived too early?), skipping...

[WSS-0x7f4f5c0008c0] Got 126 bytes:

[WSS-0x7f4f5c0008c0] First fragment: 126 bytes, 0 remaining

[WSS-0x7f4f5c0008c0] Done, parsing message: 126 bytes

Got a Janus API request from janus.transport.websockets (0x7f4f5c001230)

Transport task pool, serving request

No more remote candidates for handle 1539717863!

[1539717863] Looks like DTLS!

[1539717863] DTLS alert triggered on stream 1 (component 1), closing...

[1539717863] Telling the plugin about it (JANUS VideoRoom plugin)

No WebRTC media anymore

File is 8 bytes: uH1XlDPcMGF2-sGb8k_Z0HurVcjTE31C,1,1,1465548854023-audio.mjr

Closed audio recording uH1XlDPcMGF2-sGb8k_Z0HurVcjTE31C,1,1,1465548854023-audio.mjr

File is 8 bytes: uH1XlDPcMGF2-sGb8k_Z0HurVcjTE31C,1,1,1465548854023-video.mjr

Closed video recording uH1XlDPcMGF2-sGb8k_Z0HurVcjTE31C,1,1,1465548854023-video.mjr

[1539717863] Notifying WebRTC hangup

[1539717863] Sending event to transport...

[ERR] [dtls.c:janus_dtls_srtp_incoming_msg:388] [1539717863] Handshake error: error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure

[1539717863] ICE thread ended!

[Lorenzo Miniero]

My guess is that either your Janus is still using an older openssl, or upgrading openssl failed. The new one definitely works for us on all browser versions, and fixed the handshake issue.

You may want to try even newer versions (e.g., 1.0.1k which works fine on my Fedora, or the 1.0.2 we use on our servers).

L.

[Laurent Denoue]

I coulnd't compile Janus anymore with OpenSSL. It failed on CRYTO_LOCK not defined in dtls.c

https://github.com/meetecho/janus-gateway/blob/f2f0cccd24ed37f89aefc582a05cd1fa16a3c546/dtls.c#L153

So I installed instead BoringSSL and it's working again.

Thanks for your help Lorenzo.

Laurent

[Fabian Bernhard]

On Friday, June 10, 2016 at 11:00:52 AM UTC+2, Lorenzo Miniero wrote:

My guess is that either your Janus is still using an older openssl, or upgrading openssl failed. The new one definitely works for us on all browser versions, and fixed the handshake issue.

You may want to try even newer versions (e.g., 1.0.1k which works fine on my Fedora, or the 1.0.2 we use on our servers).

How can we tell Janus ./configure to pick up the new version 1.0.2 from /usr/local/... rather than the OS default one in /usr/?  Setting LDFLAGS and CFLAGS didn't do the trick. Thanks!

[Laurent Denoue]

I got lucky using BoringSSL instead and Janus works again with chrome 51+

--
You received this message because you are subscribed to a topic in the Google Groups "meetecho-janus" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/meetecho-janus/1-u2rQM5dUo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to meetecho-janu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Fabian Bernhard]

On Sunday, 19 June 2016 23:06:37 UTC+2, Laurent Denoue wrote:

I got lucky using BoringSSL instead and Janus works again with chrome 51+

 

Thanks! Our issue must be unrelated to this, we still have DTLS-Alerts with Janus compiled against BoringSSL as per instructions on the Github page. Interesting enough, the DTLS-Alert only happens with the SIP plugin, not the videoroom. I'll create a separate thread.

[Ron Sharp]

Last week I started getting DTLS errors. See log excerpt below. Echotest will not work from chrome on a linux

host but will on Windows or using firefox on either system. Also the Linux chrome will successfully do the

echotest on the meetecho site. So it looks like the problem you describe. I am on ubuntu 14.04.5 on my janus server. 

I did an upgrade to openssl and it did the upgrade but did not change the version. Still "OpenSSL 1.0.1f 6 Jan 2014".

I read that they often will add the changes, particularly security changes but not change the version for

compatibility issues. Anyway, it did nothing for me. I wanted to see if anyone else with an ubuntu system

was able to solve it. Rather not go to boringssl. Thanks. 

Ron

Creating new session: 3172089493

Creating new handle in session 3172089493: 3463339123

[3463339123] Creating ICE agent (ICE Full mode, controlled)

No WebRTC media anymore

^[[31m[ERR]^[[0m [dtls.c:janus_dtls_srtp_incoming_msg:557] [3463339123] Handshake error: error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure

[3463339123] WebRTC resources freed

[Alessandro Amirante]

Update apt's sources.list with 16.04 (Xenial) repos.
Then upgrade openssl.
Then put 14.04 repos back.

This will do the trick!

Alessandro

--
You received this message because you are subscribed to the Google Groups "meetecho-janus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janu...@googlegroups.com.

[Ron Sharp]

Thanks Alessandro. I will git it a try.

Ron

[gor ski]

the libssl need to be updated also,

this is what happens when you update apt's sources.list with 16.04 (Xenial) repos.

[Lorenzo Miniero]

When we say "OpenSSL" we actually mean libssl+libcrypto. Sorry for the confusion.

L.

[The Beach Today]

I've been running into this issue on Chrome 59 on my Ubuntu 14.04-deployed Janus server; Firefox works fine.  Chrome 59 works fine against the meetecho janus server.

I've upgraded openssl to 1.1.0f as well as all other packages that are impacted.  

The Janus log just after pressing "Publish" is here: https://pastebin.com/E9wVGwxp  As you can see, we get " Handshake error: error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure" and ICE thread ended!

On the Chrome side, in the console, we get the following errors: 

Janus says our WebRTC PeerConnection is down now

Cleaning WebRTC stuff

Stopping local stream

Any help is very much appreciated! -Teo

On Thursday, May 26, 2016 at 5:08:23 AM UTC-4, Lorenzo Miniero wrote:

[Alessandro Amirante]

> do you have any ideas on forcing Ubuntu 14.04 to force OpenSSL upgrade beyond 1.0.1f?

Put 16.04 repos un your sources.list. Then upgrade openssl. Then put 14.04 repos back. 

A. 

Il 10 ago 2017 12:37 AM, "The Beach Today" <thebea...@gmail.com> ha scritto:

@Lorenzo - I'm seeing the same issue on Chrome 59 as well as a headless Raspberry Pi.  Firefox works fine on PC and Android.  Chrome as well as the RPi can view the stream, but cannot publish [i.e. the handshake error appears].

On the Janus server, I'm running Ubuntu 14.04, and I attempted to upgrade openssl by manually compiling [using these tips: https://www.miguelvallejo.com/updating-to-openssl-1-0-2g-on-ubuntu-server-12-04-14-04-lts-to-stop-cve-2016-0800-drown-attack/], but no dice.  OpenSSL sits at 1.0.1f [as well as libssl-dev]; libcrypto is 5.6.1.

Are we sure OpenSSL at 1.0.1f is the issue?  I know it's a little out of scope on this group, but do you have any ideas on forcing Ubuntu 14.04 to force OpenSSL upgrade beyond 1.0.1f?  

Thanks!  

On Thursday, May 26, 2016 at 5:08:23 AM UTC-4, Lorenzo Miniero wrote:

--

You received this message because you are subscribed to the Google Groups "meetecho-janus" group.

To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janus+unsubscribe@googlegroups.com.

[globalik slivov]

How to achieve this? From command line?

[globalik slivov]

As a workaround use the janus_libs and janus_cflags by configuring. Pathes to newly installed modern openssl. Boringssl is suck. I'v tried tones times. Some functions are undefined references.