[Freeswitch-users] Freeswitch use DTLS v1.0 instead of DTLS v1.2

Tue May 19 09:27:58 UTC 2020

Hi,

As you look familiar with the source code, you may add 

	SSL_CTX_set_min_proto_version(dtls->ssl_ctx, DTLS1_2_VERSION);

as a quick hack in switch_rtp.c around where DTLS_server_method() / DTLS_client_method() are called.

But it looks like a bug, you should create an issue on github.

Best Regards,
-- 
Valli A. Vallimamod
SIP Solutions
vma at sip.solutions
linkedin.com/in/vallimamod
.

> On 12 May 2020, at 19:43, François-Xavier Geneste <fx.geneste at telemaque.fr> wrote:
> 
> Hello guys,
> 
>     I'm facing a big trouble for several hours ago and need help.... I'm using Freeswitch v1.10.2 with webRTC successfully installed and running. On the user/webphone side, I'm using Chrome 81.0.4044.138. Incoming and outgoing calls works fine with my webphone stack on my browsers (Firefox, Chrome). No warnings or errors at both sides.
> 
>     But when I do the following scenario with a webphone that can manage several calls at the same time (multi-line feature), it does not work :
> 
> 	• make a first call routed to a webrtc extension, answer it and keep it connected
> 	• make a second call routed to the same extension, do not answer and keep the first call connected
> 	• make a third call routed to the same extension and hold the first line to accept this new call=> when I try to answer this 3rd call, the call is always dropped
>     After digging into logs, and packets captured with wireshark, I found that when the freeswitch try to exchange with the browser to negociate SRTP flow for the 3rd call, it use DTLS v1.0 protocol (instead of v1.2) :
> 
> <lnancehjiedpjici.png>
> 
>     Unfortunately, support for DTLS v1.0 seems to have been dropped on my webphone/browser side and the freeswitch fail on last DTLS exchange with this logs :
> 
> [INFO] switch_rtp.c:3736 Activate RTP/RTCP audio DTLS client
> [INFO] switch_rtp.c:3903 Changing audio DTLS state from OFF to HANDSHAKE
> [...]
> [ERR] switch_rtp.c:3266 audio Handshake failure 1. This may happen when you use legacy DTLS v1.0 (legacyDTLS channel var is set) but endpoint requires DTLS v1.2.
> 
> 
>     On freeswitch side, I found only one option linked to the DTLS version (legacyDTLS, as written in logs) which I never set in my config. I checked my open ssl version on the freeswitch server (1.1.1d).
> 
>     The thing that is disturbing to me is that if I hold the first call and answer the second call, it works well. The issue occurs only for the third call and after a missed/refused call while still connected with first call in parallel.
> 
>     Digging into freeswitch source, I found that it seems to use version-flexible DTLS methods of openssl (DTLS_server_method() and DTLS_client_method()) and I cannot see how to quicly and simply always force DTLS v1.2 ?
> 
>     Have any of you ever had this kind of problem or know how to solve it ?
> 
> Regards,
> 
> FX
> 
> _________________________________________________________________________
> 
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
> Build your next product on our scalable cloud platform.
> 
> Join our online community to chat in real time https://signalwire.community
> 
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
> 
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com