[Freeswitch-users] Freeswitch use DTLS v1.0 instead of DTLS v1.2

François-Xavier Geneste fx.geneste at telemaque.fr
Tue May 12 17:43:17 UTC 2020 

Hello guys,

     I'm facing a big trouble for several hours ago and need help.... 
I'm using Freeswitch v1.10.2 with webRTC successfully installed and 
running. On the user/webphone side, I'm using Chrome 81.0.4044.138. 
Incoming and outgoing calls works fine with my webphone stack on my 
browsers (Firefox, Chrome). No warnings or errors at both sides.

     But when I do the following scenario with a webphone that can 
manage several calls at the same time (multi-line feature), it does not 
work :

 1. make a first call routed to a webrtc extension, answer it and keep
    it connected
 2. make a second call routed to the same extension, do not answer and
    keep the first call connected
 3. make a third call routed to the same extension and hold the first
    line to accept this new call=> when I try to answer this 3rd call,
    the call is always dropped

     After digging into logs, and packets captured with wireshark, I 
found that when the freeswitch try to exchange with the browser to 
negociate SRTP flow for the 3rd call, it use DTLS v1.0 protocol (instead 
of v1.2) :

     Unfortunately, support for DTLS v1.0 seems to have been dropped on 
my webphone/browser side and the freeswitch fail on last DTLS exchange 
with this logs :

[INFO] switch_rtp.c:3736 Activate RTP/RTCP audio DTLS client
[INFO] switch_rtp.c:3903 Changing audio DTLS state from OFF to HANDSHAKE
[...]
[ERR] switch_rtp.c:3266 audio Handshake failure 1. This may happen when 
you use legacy DTLS v1.0 (legacyDTLS channel var is set) but endpoint 
requires DTLS v1.2.


     On freeswitch side, I found only one option linked to the DTLS 
version (legacyDTLS, as written in logs) which I never set in my config. 
I checked my open ssl version on the freeswitch server (1.1.1d).

     The thing that is disturbing to me is that if I hold the first call 
and answer the second call, it works well. The issue occurs only for the 
third call and after a missed/refused call while still connected with 
first call in parallel.

     Digging into freeswitch source, I found that it seems to use 
version-flexible DTLS methods of openssl (DTLS_server_method() and 
DTLS_client_method()) and I cannot see how to quicly and simply always 
force DTLS v1.2 ?

     Have any of you ever had this kind of problem or know how to solve it ?

Regards,

FX

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20200512/85410134/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lnancehjiedpjici.png
Type: image/png
Size: 24279 bytes
Desc: not available
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20200512/85410134/attachment-0001.png>

More information about the FreeSWITCH-users mailing list