jitsi / jitsi-videobridge

Jitsi Videobridge is a WebRTC compatible video router or SFU that lets build highly scalable video conferencing infrastructure (i.e., up to hundreds of conferences per server).
https://jitsi.org/jitsi-videobridge
Apache License 2.0
2.91k stars 995 forks source link

Fresh self-host install fails for >=3 participants with "fatal alert: protocol_version" #1366

Open dabbler0 opened 4 years ago

dabbler0 commented 4 years ago

This Issue tracker is only for reporting bugs and tracking code related issues.

Before posting, please make sure you check community.jitsi.org to see if the same or similar bugs have already been discussed. General questions, installation help, and feature requests can also be posted to community.jitsi.org.

Description

A self-hosted Jitsi Meet server on Ubuntu 18.04, hosted exactly as described in https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart, cannot support conferences with 3 or more people due to javax.net.ssl.SSLException: Received fatal alert: protocol_version.


Current behavior

After creating a fresh Jitsi Meet server as described in the self-hosting guide, rooms with 2 people function normally, but when a third person joins the room all tracks go dead (clients interpret this as everyone having muted and turned off video). jvb.log reports the following error:

WARNING: [32] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$8#669: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.SmackException: javax.net.ssl.SSLException: Received fatal alert: protocol_version
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1076)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:820)
Caused by: javax.net.ssl.SSLException: Received fatal alert: protocol_version
        at com.ibm.jsse2.k.a(k.java:1)
        at com.ibm.jsse2.k.a(k.java:14)
        at com.ibm.jsse2.av.b(av.java:761)
        at com.ibm.jsse2.av.a(av.java:582)
        at com.ibm.jsse2.av.i(av.java:136)
        at com.ibm.jsse2.av.a(av.java:1001)
        at com.ibm.jsse2.av.startHandshake(av.java:991)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:810)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1200(XMPPTCPConnection.java:151)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1071)
        ... 3 more

A similar error is reported with severity SEVERE by Jicofo. Prosody reports refused connections with "unsupported protocol."


Expected Behavior

Three people should be able to join on a self-hosted server and see each other's video and audio tracks.


Possible Solution

The only place I could find online where people had seen this error before had to do with Java 1.8 not supporting SSLv3. I have already tried adding the -Dhttp.protocols=TLSv1.2 flag to the JVB/Jicofo configurations, but all that did was change the error to "wrong ssl version" on the Prosody side. If necessary I can attach the logs from when I tried to do this.

The error appears to have been introduced sometime around the last two weeks. The oldest community forum post about it is from 11 days ago: https://community.jitsi.org/t/jicofo-logs-showing-error-sslexception-received-fatal-alert-protocol-version/71938.


Steps to reproduce

I reproduced this using a Google Compute Engine virtual machine, so you should be able to follow my steps exactly.

  1. Create a new GCE virtual machine with Ubuntu 18.04 and all other settings default. Give it a static external IP address and create a domain name pointing to it.
  2. Follow the steps at https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart exactly, using the domain name you set up in step (1), starting with self-signed certificates and then replacing them with LetsEncrypt certificates using the script included with Jitsi. When you need to set up the firewall, use GCE's firewall configuration instead of the ufw since that is the one that actually affects networking.
  3. Visit (your domain name)/test in two tabs. A working video chat should begin between the two tabs.
  4. Visit (your domain name)/test in a third tab. Suddenly all three tabs should see three participants but with no remote video or audio tracks; the UI will claim that everyone has muted their audio and video.

Environment details

This was done on a Google Compute Engine n1-standard-1 virtual machine running Ubuntu 18.04.


dabbler0 commented 4 years ago

Thanks to gauravnavgire on the forums for finding a workaround for this. The problem is that the Ubuntu jitsi-meet package installs IBM Java instead of OpenJDK, and they support different SSL protocols. The jitsi-meet package should be updated to depend on OpenJDK instead, and in the meantime the self-host guide should be updated. To work around this issue, install openjdk-8-jdk and nginx before beginning the self-host guide, and run apt install --no-install-recommends jitsi-meet instead of apt install jitsi-meet.