[Freeswitch-users] WebRTC calls failing

Michael Jerris mike at jerris.com
Tue Feb 14 00:12:15 MSK 2017


You likely need to build latest 1.0.1 and package it just like they do for 1.0.1e… you might need some of their patches (the build ones, but probably not the code ones).  It would need to install to the same locations and update the previous os package.  1.0.1 is api/abi stable so you can upgrade without rebuilding everything underneath it.


> On Feb 13, 2017, at 4:03 PM, Tihomir Culjaga <tculjaga at gmail.com> wrote:
> 
> Mike, I totally agree with you here... but what drives me crazy is the fact im running latest centos 7 and, still, i got OpenSSL 1.0.1e-fips 11 Feb 2013... okay its patched by RH but its not enough.
> 
> In this scenario WebRTC works on Chrome and Opera but doesn't work on FireFox.
> 
> Of course, I tried to link freeswitch to openssl 1.0.2k ... and it builds nice.
> 
>  ./configure CFLAGS="-I /usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib/"
> 
> 
> but what i see is 
> 
> 
> # ldd freeswitch | grep -E "ssl|crypto"
>         libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f6fb14ce000)
>         libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f6fb10e9000)
>         libssl3.so => /lib64/libssl3.so (0x00007f6fb0167000)
>         libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f6faec3d000)
>         libssl.so.10 => /lib64/libssl.so.10 (0x00007f6fae164000)
>         libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f6fadd7a000)
> 
> not sure i would run it in production.
> 
> well, this is just sad :)
> 
> need to find a clean way to update openssl on centos 7...
> 
> Tihomir.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 13 February 2017 at 20:43, Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>> wrote:
> Issues come in to play in that freeswitch links to some other things that also use openssl.  using 2 different versions twice in the same process is a problem as openssl uses some global data.  Due to this issue, all things linked to the same process must use the same version.  Its typically safe based on openssl versioning to update to the same version with a different letter revision and it will be both api and abi compatible.  This can be done simply overwriting the system package, or building a system package with the newer version.  There are lots of ways you can mess this up and end up with part of one version and part of another version.  If you upgrade to a new version number, everything that links to openssl and links to freeswitch will need to be rebuilt against the newer version.  I’ve seen all but one person who has attempted this on ubuntu do it incorrectly.  Using older ubuntu also has the downside that all the other dependency libs are older versions that are not well tested, and particularly on ubuntu 14.04 we see a number of mysterious issues we don’t see on debian.  In short, if you want some confidence that freeswitch will run reliably, the best way to do so would be to use the most tested reference platform.  If you choose to use ubuntu 14.04, expect mysterious crashes or features that simply don’t work that we can not help troubleshoot.
> 
> Mike
> 
> 
> 
>> On Feb 13, 2017, at 2:28 PM, Tihomir Culjaga <tculjaga at gmail.com <mailto:tculjaga at gmail.com>> wrote:
>> 
>> well, can't we just compile a latest version of openssl from source and link that libssl somehow ?
>> 
>> On 10 February 2017 at 23:37, SamyGo <govoiper at gmail.com <mailto:govoiper at gmail.com>> wrote:
>> Yes, indeed I'm still stuck at it and getting hold of a Debian Box to handle this part.
>> 
>> Thanks for the followup, will revert if Debian shows any issues.
>> 
>> Regards,
>> Sammy
>> 
>> On Fri, Feb 10, 2017 at 10:29 AM, Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>> wrote:
>> if you are still struggling at this point to get it to install properly, i'd suggest using debian 8.
>> 
>> On Fri, Feb 10, 2017 at 2:07 AM SamyGo <govoiper at gmail.com <mailto:govoiper at gmail.com>> wrote:
>> Thanks Michael for your feedback. 
>> 
>> Just to be clear are we heading in the right direction? I've tried using the latest git version of FreeSWITCH as well to no avail. 
>> 
>> Best Regards,
>> Sammy
>> 
>> 
>> On Fri, Feb 10, 2017 at 12:48 AM, Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>> wrote:
>> 1.0.1h or later will work correctly, but getting it installed properly on top of the ubuntu one with all the bits in the right place is kind of a pain.  Strongly suggest using debian 8 to make your life easier, if not, you’ll have to figure out how to build a new 1.0.1 openssl to build against properly for your distro.
>> 
>> 
>>> On Feb 9, 2017, at 9:16 PM, Oleg Stolyar <olegstolyar at gmail.com <mailto:olegstolyar at gmail.com>> wrote:
>>> 
>>> Unfortunately, no.  My company just happened to have a compatible special version made for something else but it's only available internally.
>>> 
>>> On Thu, Feb 9, 2017 at 6:02 PM, SamyGo <govoiper at gmail.com <mailto:govoiper at gmail.com>> wrote:
>>> Thanks Oleg,
>>> Mine is still on 1.0.1h , Im trying to get the latest one but the Ubuntu14.04 takes me nowhere. My idea was that if I'm installing OpenSSL latest release from sources then the libssl-dev would be installed and updated along with it, no ?
>>> 
>>> Do you've any link or pointers as how to get the libssl-dev installed manually ?
>>> 
>>> Thanks & Regards,
>>> Sammy
>>> 
>>> 
>>> On Thu, Feb 9, 2017 at 8:06 PM, Oleg Stolyar <olegstolyar at gmail.com <mailto:olegstolyar at gmail.com>> wrote:
>>> This is a known issue on Ubuntu 14.04 and recent versions of Chrome.  
>>> openssl does not need to be updated for Chrome 52+ to work.  libssl-dev is the one that needs to be updated at least to 1.0.1g.
>>> 
>>> On Thu, Feb 9, 2017 at 4:51 PM, SamyGo <govoiper at gmail.com <mailto:govoiper at gmail.com>> wrote:
>>> Still fails, no use upgrading openssl to latest version. Anymore ideas?
>>> 
>>> openssl version -a
>>> OpenSSL 1.0.2k  26 Jan 2017
>>> built on: reproducible build, date unspecified
>>> platform: linux-x86_64
>>> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
>>> compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
>>> OPENSSLDIR: "/usr/local/ssl"
>>> 
>>> 
>>> On Thu, Feb 9, 2017 at 7:12 PM, SamyGo <govoiper at gmail.com <mailto:govoiper at gmail.com>> wrote:
>>> so far done ap-get update on openssl, lets give manual install to latest a try. What can possibly go wrong with that, right !
>>> 
>>> On Thu, Feb 9, 2017 at 7:09 PM, Tristan Mahé <gled at remote-shell.net <mailto:gled at remote-shell.net>> wrote:
>>> openssl too old not containing the necessary algorythms ?
>>> 
>>> On 02/09/2017 04:05 PM, SamyGo wrote:
>>>> Hi,
>>>> I've trying to figure out the error that causes the WebRTC based calls to hangup.
>>>> 
>>>> 2017-02-09 18:57:53.708073 [NOTICE] switch_rtp.c:1275 Auto Changing audio stun/rtp/dtls port from 70.54.102.180:56188 <http://70.54.102.180:56188/> to 70.54.102.180:1572 <http://70.54.102.180:1572/>
>>>> 2017-02-09 18:57:54.688079 [ERR] switch_rtp.c:3165 audio Handshake failure 1
>>>> 2017-02-09 18:57:54.688079 [INFO] switch_rtp.c:3166 Changing audio DTLS state from HANDSHAKE to FAIL
>>>> 
>>>> Operating System is: Ubuntu 14.04.5 LTS
>>>> 
>>>> OpenSSL version:
>>>> OpenSSL 1.0.1f 6 Jan 2014
>>>> built on: Mon Jan 30 20:38:38 UTC 2017
>>>> platform: debian-amd64
>>>> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
>>>> compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
>>>> OPENSSLDIR: "/usr/lib/ssl"
>>>> 
>>>> Tried couple of Jira Bug links around this and still no progress. Disabling "inbound_late_negotiations" doesn't help either.
>>>> 
>>>> 
>>>> Regard,
>>>> Sammy
>>>> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170213/6d8ef2c6/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list