[Freeswitch-users] WebRTC calls failing

Tihomir Culjaga tculjaga at gmail.com
Tue Feb 14 00:03:31 MSK 2017


Mike, I totally agree with you here... but what drives me crazy is the fact
im running latest centos 7 and, still, i got OpenSSL 1.0.1e-fips 11 Feb
2013... okay its patched by RH but its not enough.

In this scenario WebRTC works on Chrome and Opera but doesn't work on
FireFox.

Of course, I tried to link freeswitch to openssl 1.0.2k ... and it builds
nice.

 ./configure CFLAGS="-I /usr/local/ssl/include"
LDFLAGS="-L/usr/local/ssl/lib/"


but what i see is


# ldd freeswitch | grep -E "ssl|crypto"
        libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0
(0x00007f6fb14ce000)
        libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0
(0x00007f6fb10e9000)
        libssl3.so => /lib64/libssl3.so (0x00007f6fb0167000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f6faec3d000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f6fae164000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f6fadd7a000)

not sure i would run it in production.

well, this is just sad :)

need to find a clean way to update openssl on centos 7...

Tihomir.










On 13 February 2017 at 20:43, Michael Jerris <mike at jerris.com> wrote:

> Issues come in to play in that freeswitch links to some other things that
> also use openssl.  using 2 different versions twice in the same process is
> a problem as openssl uses some global data.  Due to this issue, all things
> linked to the same process must use the same version.  Its typically safe
> based on openssl versioning to update to the same version with a different
> letter revision and it will be both api and abi compatible.  This can be
> done simply overwriting the system package, or building a system package
> with the newer version.  There are lots of ways you can mess this up and
> end up with part of one version and part of another version.  If you
> upgrade to a new version number, everything that links to openssl and links
> to freeswitch will need to be rebuilt against the newer version.  I’ve seen
> all but one person who has attempted this on ubuntu do it incorrectly.
> Using older ubuntu also has the downside that all the other dependency libs
> are older versions that are not well tested, and particularly on ubuntu
> 14.04 we see a number of mysterious issues we don’t see on debian.  In
> short, if you want some confidence that freeswitch will run reliably, the
> best way to do so would be to use the most tested reference platform.  If
> you choose to use ubuntu 14.04, expect mysterious crashes or features that
> simply don’t work that we can not help troubleshoot.
>
> Mike
>
>
>
> On Feb 13, 2017, at 2:28 PM, Tihomir Culjaga <tculjaga at gmail.com> wrote:
>
> well, can't we just compile a latest version of openssl from source and
> link that libssl somehow ?
>
> On 10 February 2017 at 23:37, SamyGo <govoiper at gmail.com> wrote:
>
>> Yes, indeed I'm still stuck at it and getting hold of a Debian Box to
>> handle this part.
>>
>> Thanks for the followup, will revert if Debian shows any issues.
>>
>> Regards,
>> Sammy
>>
>> On Fri, Feb 10, 2017 at 10:29 AM, Michael Jerris <mike at jerris.com> wrote:
>>
>>> if you are still struggling at this point to get it to install properly,
>>> i'd suggest using debian 8.
>>>
>>> On Fri, Feb 10, 2017 at 2:07 AM SamyGo <govoiper at gmail.com> wrote:
>>>
>>>> Thanks Michael for your feedback.
>>>>
>>>> Just to be clear are we heading in the right direction? I've tried
>>>> using the latest git version of FreeSWITCH as well to no avail.
>>>>
>>>> Best Regards,
>>>> Sammy
>>>>
>>>>
>>>> On Fri, Feb 10, 2017 at 12:48 AM, Michael Jerris <mike at jerris.com>
>>>> wrote:
>>>>
>>>> 1.0.1h or later will work correctly, but getting it installed properly
>>>> on top of the ubuntu one with all the bits in the right place is kind of a
>>>> pain.  Strongly suggest using debian 8 to make your life easier, if not,
>>>> you’ll have to figure out how to build a new 1.0.1 openssl to build against
>>>> properly for your distro.
>>>>
>>>>
>>>> On Feb 9, 2017, at 9:16 PM, Oleg Stolyar <olegstolyar at gmail.com> wrote:
>>>>
>>>> Unfortunately, no.  My company just happened to have a compatible
>>>> special version made for something else but it's only available internally.
>>>>
>>>> On Thu, Feb 9, 2017 at 6:02 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> Thanks Oleg,
>>>> Mine is still on 1.0.1h , Im trying to get the latest one but the
>>>> Ubuntu14.04 takes me nowhere. My idea was that if I'm installing OpenSSL
>>>> latest release from sources then the libssl-dev would be installed and
>>>> updated along with it, no ?
>>>>
>>>> Do you've any link or pointers as how to get the libssl-dev installed
>>>> manually ?
>>>>
>>>> Thanks & Regards,
>>>> Sammy
>>>>
>>>>
>>>> On Thu, Feb 9, 2017 at 8:06 PM, Oleg Stolyar <olegstolyar at gmail.com>
>>>> wrote:
>>>>
>>>> This is a known issue on Ubuntu 14.04 and recent versions of Chrome.
>>>> openssl does not need to be updated for Chrome 52+ to work.  libssl-dev
>>>> is the one that needs to be updated at least to 1.0.1g.
>>>>
>>>> On Thu, Feb 9, 2017 at 4:51 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> Still fails, no use upgrading openssl to latest version. Anymore ideas?
>>>>
>>>> openssl version -a
>>>> OpenSSL 1.0.2k  26 Jan 2017
>>>> built on: reproducible build, date unspecified
>>>> platform: linux-x86_64
>>>> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int)
>>>> blowfish(idx)
>>>> compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT
>>>> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2
>>>> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
>>>> -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
>>>> -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
>>>> OPENSSLDIR: "/usr/local/ssl"
>>>>
>>>>
>>>> On Thu, Feb 9, 2017 at 7:12 PM, SamyGo <govoiper at gmail.com> wrote:
>>>>
>>>> so far done ap-get update on openssl, lets give manual install to
>>>> latest a try. What can possibly go wrong with that, right !
>>>>
>>>> On Thu, Feb 9, 2017 at 7:09 PM, Tristan Mahé <gled at remote-shell.net>
>>>> wrote:
>>>>
>>>> openssl too old not containing the necessary algorythms ?
>>>>
>>>> On 02/09/2017 04:05 PM, SamyGo wrote:
>>>>
>>>> Hi,
>>>> I've trying to figure out the error that causes the WebRTC based calls
>>>> to hangup.
>>>>
>>>> 2017-02-09 18:57:53.708073 [NOTICE] switch_rtp.c:1275 Auto Changing
>>>> audio stun/rtp/dtls port from 70.54.102.180:56188 to 70.54.102.180:1572
>>>> 2017-02-09 18:57:54.688079 [ERR] switch_rtp.c:3165 audio Handshake
>>>> failure 1
>>>> 2017-02-09 18:57:54.688079 [INFO] switch_rtp.c:3166 Changing audio
>>>> DTLS state from HANDSHAKE to FAIL
>>>>
>>>> Operating System is: Ubuntu 14.04.5 LTS
>>>>
>>>> *OpenSSL version:*
>>>> OpenSSL 1.0.1f 6 Jan 2014
>>>> built on: Mon Jan 30 20:38:38 UTC 2017
>>>> platform: debian-amd64
>>>> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
>>>> compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
>>>> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
>>>> -fstack-protector --param=ssp-buffer-size=4 -Wformat
>>>> -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
>>>> -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2
>>>> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
>>>> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
>>>> -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>>>> OPENSSLDIR: "/usr/lib/ssl"
>>>>
>>>> Tried couple of Jira Bug links around this and still no progress.
>>>> Disabling "inbound_late_negotiations" doesn't help either.
>>>>
>>>>
>>>> Regard,
>>>> Sammy
>>>>
>>>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170213/7e418e62/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list