search

pion / dtls

DTLS 1.2 Server/Client implementation for Go
https://pion.ly/
MIT License
584 stars 155 forks source link

DTLS alert insufficient security with libdatachannel #356

Closed paullouisageneau closed 3 years ago

paullouisageneau commented 3 years ago

Your environment.

What did you do?

Running the libdatachannel client in https://github.com/sipsorcery/webrtc-echoes/pull/28 against the Pion echo server.

What did you expect?

The peer connection should succeed, in particular, the DTLS handshake should succeed.

What happened?

The Pion echo server sends a DTLS alert "insufficient security" in response to the DTLS Server Hello from libdatachannel. This behavior happens with both libdatachannel DTLS backends OpenSSL and GnuTLS.

I've no idea if the issue comes from Pion DTLS or not for now.

The DTLS server (libdatachannel side) chooses the cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, sends an ECDSA certificate with curve secp256r1, sets up ECDH key exchange with secp256r1, and requests a client certificate.

The Server Hello looks OK to me on first sight:

  DTLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 0
        Length: 101
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 89
            Message Sequence: 0
            Fragment Offset: 0
            Fragment Length: 89
            Version: DTLS 1.2 (0xfefd)
            Random: [...]
            Session ID Length: 32
            Session ID: [...]
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Compression Method: null (0)
            Extensions Length: 17
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
            Extension: ec_point_formats (len=4)
                Type: ec_point_formats (11)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
    DTLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 1
        Length: 310
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 298
            Message Sequence: 1
            Fragment Offset: 0
            Fragment Length: 298
            Certificates Length: 295
            Certificates (295 bytes)
                Certificate Length: 292
                Certificate: [...] (id-at-commonName=libdatachannel)
                    signedCertificate
                        version: v2 (1)
                        serialNumber: 0x009aff
                        signature (ecdsa-with-SHA256)
                        issuer: rdnSequence (0)
                        validity
                        subject: rdnSequence (0)
                        subjectPublicKeyInfo
                            algorithm (id-ecPublicKey)
                                Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey)
                                ECParameters: namedCurve (1)
                                    namedCurve: 1.2.840.10045.3.1.7 (secp256r1)
                            Padding: 0
                            subjectPublicKey: [...]
                    algorithmIdentifier (ecdsa-with-SHA256)
                    Padding: 0
                    encrypted: [...]
    DTLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 2
        Length: 157
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 145
            Message Sequence: 2
            Fragment Offset: 0
            Fragment Length: 145
            EC Diffie-Hellman Server Params
                Curve Type: named_curve (0x03)
                Named Curve: secp256r1 (0x0017)
                Pubkey Length: 65
                Pubkey: [...]
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Length: 72
                Signature: [...]
    DTLSv1.2 Record Layer: Handshake Protocol: Certificate Request
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 3
        Length: 66
        Handshake Protocol: Certificate Request
            Handshake Type: Certificate Request (13)
            Length: 54
            Message Sequence: 3
            Fragment Offset: 0
            Fragment Length: 54
            Certificate types count: 3
            Certificate types (3 types)
                Certificate type: RSA Sign (1)
                Certificate type: DSS Sign (2)
                Certificate type: ECDSA Sign (64)
            Signature Hash Algorithms Length: 46
            Signature Hash Algorithms (23 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                Signature Algorithm: ed25519 (0x0807)
                Signature Algorithm: ed448 (0x0808)
                Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                Signature Algorithm: SHA224 ECDSA (0x0303)
                Signature Algorithm: ecdsa_sha1 (0x0203)
                Signature Algorithm: SHA224 RSA (0x0301)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                Signature Algorithm: SHA224 DSA (0x0302)
                Signature Algorithm: SHA1 DSA (0x0202)
                Signature Algorithm: SHA256 DSA (0x0402)
                Signature Algorithm: SHA384 DSA (0x0502)
                Signature Algorithm: SHA512 DSA (0x0602)
            Distinguished Names Length: 0
    DTLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 4
        Length: 12
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0
            Message Sequence: 4
            Fragment Offset: 0
            Fragment Length: 0

Full packet capture: libdatachannel_pion_handshake_failed.zip

Sean-Der commented 3 years ago

Woot, so excited to see this interop happening :)

I was able to reproduce, should have an answer real quick.

Sean-Der commented 3 years ago

The issue is that the ServerHello doesn't contain a use_srtp extension. These are the entries in our ClientHello.

Extension: use_srtp (len=7)
    Type: use_srtp (14)
    Length: 7
    SRTP Protection Profiles Length: 4
    SRTP Protection Profile: SRTP_AEAD_AES_128_GCM (0x0007)
    SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_80 (0x0001)
    MKI Length: 0
paullouisageneau commented 3 years ago

Oh thanks, I missed it. The issue is that libdatachannel does not negotiate SRTP if media support is disabled, a behavior browsers are fine with but is actually not correct.