search

AirenSoft / OvenMediaEngine

OvenMediaEngine (OME) is a Sub-Second Latency Live Streaming Server with Large-Scale and High-Definition. #WebRTC #LLHLS
https://OvenMediaEngine.com/ome
GNU Affero General Public License v3.0
2.53k stars 1.06k forks source link

Certificates with OCSP Must-Staple fail when connecting from Firefox #1129

Closed getroot closed 1 year ago

getroot commented 1 year ago

Discussed in https://github.com/AirenSoft/OvenMediaEngine/discussions/1100

Originally posted by **hashworks** October 31, 2022 **Describe the bug** I'm using a WebRTC publisher on TLS port `3334` using Let's Encrypt certificates created with `--must-staple`. When I connect using Chromium, everything works as expected. When I connect using Firefox the WebSocket-Connection times out and the Server logs the following: ``` [SPRtcSig-T3334:275556] OpenSSL | tls.cpp:193 | An error occurred while accept SSL connection: [OpenSSL] error:0A000412:SSL routines::sslv3 alert bad certificate (167773202) ``` The error occurs [here](https://github.com/AirenSoft/OvenMediaEngine/blob/v0.14.14/src/projects/base/ovcrypto/openssl/tls.cpp#L193). When I re-create the certificates without `--must-staple` everything works as expected. **To Reproduce** Steps to reproduce the behavior: 1. Create certificates with OCSP Must-Staple 2. Set Server.xml [like this](https://fb.hash.works/gPoKWc/xml) 3. Publish using any configured provider (RTMP) 4. Open `wss://stream.example.net:3334/live/stream` with an OvenPlayer in Chromium, see that it works 5. Open `wss://stream.example.net:3334/live/stream` with an OvenPlayer in Firefox, note the timeout and the SSL error in the OvenMediaEngine Log **Expected behavior** The server can handle OCSP Must-Staple. **Logs** There are no other relevant log messages than the OpenSSL error, even with debug logging. **Server:** - OS: Arch Linux - OvenMediaEngine Version: v0.14.14 - Branch: git tag **Player:** - Device: OvenPlayer Demo - OS: Arch Linux - Browser: Chromium (:heavy_check_mark:) / Firefox (:x:) - Version: Firefox 106.0.2 **Additional context** The certificate looks [like this](https://fb.hash.works/b9Eeqn/#n65) (note the OCSP info).
stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

dimiden commented 1 year ago

I have successfully tested the playback with a certificate with the --must-staple option in FireFox. Now you can use OCSP stapling on OME! 48900ca06b89666183d2ef719da8f654773a9ded

getroot commented 1 year ago

The fix for this bug is part of the 0.15.14 release.