Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.51, 1.52, 1.53
    • Fix Version/s: 1.54
    • Labels:
      None
    • Environment:
      Windows machine, local network.

      Description

      I'm trying to establish a DTLS connection between two WebRTC peers, the connection in Firefox is established correctly but fails on Chrome during the handshake.

      I've captured the traffic between the handshake (using Chrome) and got the following results (extended version in attachment):

      1258 10:26:01.483717000 172.22.1.44 52284 172.22.0.141 18028 DTLSv1.0 205 Client Hello
      1259 10:26:01.489932000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 133 Server Hello
      1260 10:26:01.490322000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 781 Certificate
      1261 10:26:01.494327000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 268 Server Key Exchange[Malformed Packet]
      1262 10:26:01.494450000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 83 Certificate Request
      1263 10:26:01.494511000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 67 Server Hello Done
      1283 10:26:02.483950000 172.22.1.44 52284 172.22.0.141 18028 DTLSv1.2 205 Client Hello
      1310 10:26:03.487070000 172.22.0.141 18028 172.22.1.44 52284 DTLSv1.0 133 Server Hello
      ....

      172.22.0.141 - In this machine I have a WebRTC custom gateway using bouncy castle.
      172.22.1.44 - This is the chrome peer client machine.


      Two things I can't understand:

      1- It appears the "Server Key Exchange" is malformed.
      2- In the second attempt, chrome uses DTLS1.2 but the response is in DTLS1.0.

      The problem happens on the handshake connect (DTLSServerProtocol -> serverHandshake -> clientMessage = handshake.receiveMessage();). It appears that there is no further responses so the code just hangs.

      I believe this is related to the key exchange being malformed? When using firefox I can't see this problem on the capture.

      Note:
      * Works correctly using 1.50.

      Thanks.

        Activity

        Hide
        João Alves added a comment -
        The modification works :) Thanks Peter !
        Show
        João Alves added a comment - The modification works :) Thanks Peter !
        Hide
        Peter Dettman added a comment -
        Thanks for the confirmation.
        Show
        Peter Dettman added a comment - Thanks for the confirmation.
        Hide
        João Alves added a comment -
        Ah, I have found a problem, when handshaking a connection with Firefox I have the following error:

        org.bouncycastle.crypto.tls.TlsFatalAlert: illegal_parameter(47)
        at org.bouncycastle.crypto.tls.TlsUtils.verifySupportedSignatureAlgorithm(TlsUtils.java:941)
        at org.bouncycastle.crypto.tls.DTLSServerProtocol.processCertificateVerify(DTLSServerProtocol.java:515)
        at org.bouncycastle.crypto.tls.DTLSServerProtocol.serverHandshake(DTLSServerProtocol.java:254)
        at org.bouncycastle.crypto.tls.DTLSServerProtocol.accept(DTLSServerProtocol.java:65)
        Show
        João Alves added a comment - Ah, I have found a problem, when handshaking a connection with Firefox I have the following error: org.bouncycastle.crypto.tls.TlsFatalAlert: illegal_parameter(47) at org.bouncycastle.crypto.tls.TlsUtils.verifySupportedSignatureAlgorithm(TlsUtils.java:941) at org.bouncycastle.crypto.tls.DTLSServerProtocol.processCertificateVerify(DTLSServerProtocol.java:515) at org.bouncycastle.crypto.tls.DTLSServerProtocol.serverHandshake(DTLSServerProtocol.java:254) at org.bouncycastle.crypto.tls.DTLSServerProtocol.accept(DTLSServerProtocol.java:65)
        Hide
        João Alves added a comment -
        Should I create a new Issue with the problem described above?
        Show
        João Alves added a comment - Should I create a new Issue with the problem described above?
        Hide
        João Alves added a comment -
        I think I solved it, I found out that the signature algorithms weren't matching. I've added *SignatureAlgorithm.ecdsa* to the *getCertificateRequest()* function and it works.

        Thanks.
        Show
        João Alves added a comment - I think I solved it, I found out that the signature algorithms weren't matching. I've added *SignatureAlgorithm.ecdsa* to the *getCertificateRequest()* function and it works. Thanks.

          People

          • Assignee:
            Peter Dettman
            Reporter:
            João Alves
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: