ICE pair validation too strict - DTLS client hello ignored
66 views
Skip to first unread message
mtryfoss
Jun 3, 2025, 8:28:27 AM6/3/25
to Sipwise rtpengine
We've got a webrtc based softphone running in production for quite some time. Recently we've been aware of some random calls without RTP in any direction.
It's impossible to re-produce, but seems be tied to certain clients and especially the first call after a long idle period (pc hibernated or similar). Issue affects both recent Edge and Chrome users.
I've tried adjusting with DTLS=passive and ICE-lite=forward, but neither seems to have an effect.
Looking at traces, it seems like and issue when the other side is trying DTLS client hello.
This happens some milliseconds before the STUN request with USE-CANDIDATE.
After some research online, I found this old bug report:
https://issues.webrtc.org/issues/42228568
Stating:
from RFC 5245, S 12.1.1:
Once candidate pairs for each component of a
media stream enter the valid list, the answerer can begin sending
media on that media stream.
So this behavior is legal by spec.
Stating:
from RFC 5245, S 12.1.1:
Once candidate pairs for each component of a
media stream enter the valid list, the answerer can begin sending
media on that media stream.
So this behavior is legal by spec.
---
After looking through the rtpengine code, I wonder if this particular check is too strict (at least, when using ICE lite):
if (!PAIR_ISSET(pair, VALID))
return false;
Based on lab testing, it seems like checking for the SUCCEEDED flag might be more appropriate?
return false;
Based on lab testing, it seems like checking for the SUCCEEDED flag might be more appropriate?
Richard Fuchs
Jun 3, 2025, 10:54:19 AM6/3/25
to rtpe...@googlegroups.com
On 03/06/2025 08.28, mtryfoss wrote:
After looking through the rtpengine code, I wonder if this particular check is too strict (at least, when using ICE lite):
if (!PAIR_ISSET(pair, VALID))
return false;
Based on lab testing, it seems like checking for the SUCCEEDED flag might be more appropriate?
Yes, it seems that the VALID flag used internally doesn't really reflect the "valid" state as described by the RFC. I would say that even using SUCCEEDED likely would be too strict. I'll add a new, more appropriate flag.
Cheers
mtryfoss
Jun 3, 2025, 2:32:32 PM6/3/25
to Sipwise rtpengine
Thanks for your quick response! Let me know when you got something for me to test.
Hopefully something that's easy to backport to mr12.
Best regards,
Morten
Richard Fuchs
Jun 3, 2025, 2:50:40 PM6/3/25
to rtpe...@googlegroups.com
This should be an improvement:
https://github.com/sipwise/rtpengine/commit/d2f8fd489a635679d5603d94e911bc4d3b403274
Cheers
--
You received this message because you are subscribed to the Google Groups "Sipwise rtpengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rtpengine+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rtpengine/2bd3365a-51e3-4f9d-861b-d5f1b1413852n%40googlegroups.com.
Message has been deleted
mtryfoss
Jun 3, 2025, 3:37:34 PM6/3/25
to Sipwise rtpengine
Thank you so much!
Reply all
Reply to author
Forward
0 new messages