[Freeswitch-users] WebRTC calls failing
Tihomir Culjaga
tculjaga at gmail.com
Tue Feb 14 00:03:31 MSK 2017
Mike, I totally agree with you here... but what drives me crazy is the fact
im running latest centos 7 and, still, i got OpenSSL 1.0.1e-fips 11 Feb
2013... okay its patched by RH but its not enough.
In this scenario WebRTC works on Chrome and Opera but doesn't work on
FireFox.
Of course, I tried to link freeswitch to openssl 1.0.2k ... and it builds
nice.
./configure CFLAGS="-I /usr/local/ssl/include"
LDFLAGS="-L/usr/local/ssl/lib/"
but what i see is
# ldd freeswitch | grep -E "ssl|crypto"
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0
(0x00007f6fb14ce000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0
(0x00007f6fb10e9000)
libssl3.so => /lib64/libssl3.so (0x00007f6fb0167000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f6faec3d000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f6fae164000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f6fadd7a000)
not sure i would run it in production.
well, this is just sad :)
need to find a clean way to update openssl on centos 7...
Tihomir.
On 13 February 2017 at 20:43, Michael Jerris <mike at jerris.com> wrote:
> Issues come in to play in that freeswitch links to some other things that
> also use openssl. using 2 different versions twice in the same process is
> a problem as openssl uses some global data. Due to this issue, all things
> linked to the same process must use the same version. Its typically safe
> based on openssl versioning to update to the same version with a different
> letter revision and it will be both api and abi compatible. This can be
> done simply overwriting the system package, or building a system package
> with the newer version. There are lots of ways you can mess this up and
> end up with part of one version and part of another version. If you
> upgrade to a new version number, everything that links to openssl and links
> to freeswitch will need to be rebuilt against the newer version. I’ve seen
> all but one person who has attempted this on ubuntu do it incorrectly.
> Using older ubuntu also has the downside that all the other dependency libs
> are older versions that are not well tested, and particularly on ubuntu
> 14.04 we see a number of mysterious issues we don’t see on debian. In
> short, if you want some confidence that freeswitch will run reliably, the
> best way to do so would be to use the most tested reference platform. If
> you choose to use ubuntu 14.04, expect mysterious crashes or features that
> simply don’t work that we can not help troubleshoot.
>
> Mike
>
>
>
> On Feb 13, 2017, at 2:28 PM, Tihomir Culjaga <tculjaga at gmail.com> wrote:
>
> well, can't we just compile a latest version of openssl from source and
> link that libssl somehow ?
>
> On 10 February 2017 at 23:37, SamyGo <govoiper at gmail.com> wrote:
>
>> Yes, indeed I'm still stuck at it and getting hold of a Debian Box to
>> handle this part.
>>
>> Thanks for the followup, will revert if Debian shows any issues.
>>
>> Regards,
>> Sammy
>>
>> On Fri, Feb 10, 2017 at 10:29 AM, Michael Jerris <mike at jerris.com> wrote:
>>
>>> if you are still struggling at this point to get it to install properly,
>>> i'd suggest using debian 8.
>>>
>>> On Fri, Feb 10, 2017 at 2:07 AM SamyGo <govoiper at gmail.com> wrote:
>>>
>>>> Thanks Michael for your feedback.
>>>>
>>>> Just to be clear are we heading in the right direction? I've tried
>>>> using the latest git version of FreeSWITCH as well to no avail.
>>>>
>>>> Best Regards,
>>>> Sammy
>>>>
>>>>
>>>> On Fri, Feb 10, 2017 at 12:48 AM, Michael Jerris <mike at jerris.com>
>>>> wrote:
>>>>
>>>> 1.0.1h or later will work correctly, but getting it installed properly
>>>> on top of the ubuntu one with all the bits in the right place is kind of a
>>>> pain. Strongly suggest using debian 8 to make your life easier, if not,
>>>> you’ll have to figure out how to build a new 1.0.1 openssl to build against
>>>> properly for your distro.
>>>>
>>>>
>>>> On Feb 9, 2017, at 9:16 PM, Oleg Stolyar <olegstolyar at gmail.com> wrote:
>>>>
>>>> Unfortunately, no. My company just happened to have a compatible
>>>> special version made for something else but it's only available internally.
>>>>
>>>> On Thu, Feb 9, 2017 at 6:02 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> Thanks Oleg,
>>>> Mine is still on 1.0.1h , Im trying to get the latest one but the
>>>> Ubuntu14.04 takes me nowhere. My idea was that if I'm installing OpenSSL
>>>> latest release from sources then the libssl-dev would be installed and
>>>> updated along with it, no ?
>>>>
>>>> Do you've any link or pointers as how to get the libssl-dev installed
>>>> manually ?
>>>>
>>>> Thanks & Regards,
>>>> Sammy
>>>>
>>>>
>>>> On Thu, Feb 9, 2017 at 8:06 PM, Oleg Stolyar <olegstolyar at gmail.com>
>>>> wrote:
>>>>
>>>> This is a known issue on Ubuntu 14.04 and recent versions of Chrome.
>>>> openssl does not need to be updated for Chrome 52+ to work. libssl-dev
>>>> is the one that needs to be updated at least to 1.0.1g.
>>>>
>>>> On Thu, Feb 9, 2017 at 4:51 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> Still fails, no use upgrading openssl to latest version. Anymore ideas?
>>>>
>>>> openssl version -a
>>>> OpenSSL 1.0.2k 26 Jan 2017
>>>> built on: reproducible build, date unspecified
>>>> platform: linux-x86_64
>>>> options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int)
>>>> blowfish(idx)
>>>> compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT
>>>> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2
>>>> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
>>>> -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
>>>> -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
>>>> OPENSSLDIR: "/usr/local/ssl"
>>>>
>>>>
>>>> On Thu, Feb 9, 2017 at 7:12 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> so far done ap-get update on openssl, lets give manual install to
>>>> latest a try. What can possibly go wrong with that, right !
>>>>
>>>> On Thu, Feb 9, 2017 at 7:09 PM, Tristan Mahé <gled at remote-shell.net>
>>>> wrote:
>>>>
>>>> openssl too old not containing the necessary algorythms ?
>>>>
>>>> On 02/09/2017 04:05 PM, SamyGo wrote:
>>>>
>>>> Hi,
>>>> I've trying to figure out the error that causes the WebRTC based calls
>>>> to hangup.
>>>>
>>>> 2017-02-09 18:57:53.708073 [NOTICE] switch_rtp.c:1275 Auto Changing
>>>> audio stun/rtp/dtls port from 70.54.102.180:56188 to 70.54.102.180:1572
>>>> 2017-02-09 18:57:54.688079 [ERR] switch_rtp.c:3165 audio Handshake
>>>> failure 1
>>>> 2017-02-09 18:57:54.688079 [INFO] switch_rtp.c:3166 Changing audio
>>>> DTLS state from HANDSHAKE to FAIL
>>>>
>>>> Operating System is: Ubuntu 14.04.5 LTS
>>>>
>>>> *OpenSSL version:*
>>>> OpenSSL 1.0.1f 6 Jan 2014
>>>> built on: Mon Jan 30 20:38:38 UTC 2017
>>>> platform: debian-amd64
>>>> options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
>>>> compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
>>>> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
>>>> -fstack-protector --param=ssp-buffer-size=4 -Wformat
>>>> -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
>>>> -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2
>>>> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
>>>> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
>>>> -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>>>> OPENSSLDIR: "/usr/lib/ssl"
>>>>
>>>> Tried couple of Jira Bug links around this and still no progress.
>>>> Disabling "inbound_late_negotiations" doesn't help either.
>>>>
>>>>
>>>> Regard,
>>>> Sammy
>>>>
>>>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170213/7e418e62/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list