rfuchs
commented
8 years ago That's probably just a matter of having support for it in OpenSSL and perhaps enabling it. I'll have to look into it.
Open soulofmischief87 opened 8 years ago
rfuchs
commented
8 years ago That's probably just a matter of having support for it in OpenSSL and perhaps enabling it. I'll have to look into it.
soulofmischief87
commented
8 years ago Rfuchs,
According to one of the comments in this post. DTLS 1.2 doesn't necessarily have to be supported but the server hello needs to respond with the highest version supported which I think is 1.0 now?
rfuchs
commented
8 years ago Yeah and the server hello is generated by OpenSSL. So it needs to be done through OpenSSL somehow.
rfuchs
commented
8 years ago From the discussion in that thread, it sounds like it merely is a matter of supporting ECDH, which has been in place for a while now (see #130). Are you perhaps using an older version?
soulofmischief87
commented
8 years ago Rfuchs,
I am using firefox 42. this is what the cipher suites looks like
which seems to include ECDH.
rfuchs
commented
8 years ago I meant an old version of rtpengine, one that doesn't include the fix from #130
soulofmischief87
commented
8 years ago rfuchs,
I am using the latest pull. In my flow the upstream media server fails to respond to the 1.2 client hello. Which causes firefox to try at the rtpengine candidate that does not respond . If I try a call in which rtpengine is the only candidate meaning it is being used as savpf to avpf gateway it will answer with a server hello of 1.0. I can offer traces of these two cases if needed.
rfuchs
commented
8 years ago Sure, because I can't quite make sense of this. If ICE converged on one particular endpoint, then communications should only happen with that endpoint and not do trial and error with several on them.
soulofmischief87
commented
8 years ago In this case both ICE peers succeeded and rtpengine is not in the media flow to know wether the other failed or succeeded. Nor was there a reinvite removing it from the media flow. The ack SDP carries rtpengine in the c line. I emailed you the traces by the way.
I have a call flow that implements slow start causing firefox to take client role and offer DTLS 1.2 after ICE negotiations. According to this post https://bugzilla.mozilla.org/show_bug.cgi?id=1153702 the server side should respond with a server hello and the version of DTLS that it supports. As of now rtpengine does not respond at all to dtls client hello with 1.2 in the version header.