New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS Bio read buffer is to small and not compatible with ecdsa-with-SHA256 key/cert with CA #828
Comments
hi, |
What is the size of your Janus DTLS certificate ? |
I don't know how do i found this size ? could you tell me how to find it? |
How to progress on this topic ? |
A PR with a failing test case would help, or at least a full wireshark capture. What I don't understand is how you expect to send out a frame that large, how will it fit in a UDP datagram? |
Hi, sorry for this long delay Currently we have the following error: https://www.pyopenssl.org/en/latest/api/ssl.html#OpenSSL.SSL.WantReadError on bio_read at 630. Doing the loop over bio_read doesn't help, the WantRearError is treated after BIO_Read call in pyopenssl lib See wireshark traces. Thanks |
Any status ? |
It will be framed across multiple UDP datagrams. DTLS explicitly frames for that purpose. 8192 bytes seems sensible for large x509 certificates using RSA 4096. If it resolves the problem for you, I'd suggest to make a PR for it. Edit: This probably won't resolve your issue. You'll have to tell the DTLS stack the maximum MTU so that it fragments accordingly. Similar to versatica/mediasoup#1143 |
I'm revisiting this issue and I have to admit I'm a bit confused. The call to If the remote (non-aiortc) party is sending us a certificate, I would expect the call to |
When the remote party is sending multiple fragment of incoming certificate, th gol of bio_read parameter is to give the size of the buffer to allocate to receive the concatenated fragments. As where as self.ssl.recv( MTU ) define the maximum buffer for on ip frame, so the MTU. the bio contains uncrypted data, so to be able to encrypt or decrypt a frame you have to receive the full buffer, of define a buffer for encryption before sending. so sefl.ssl.recv(1500) is for me ok, and bios read depends of the max amount of data you expect to receive. In the case of certificate you have to receive or send the full content to be able to start decryption or encryption. take a look into https://www.roxlu.com/2014/042/using-openssl-with-memory-bios , there is an exemple of usage of bios_read in line with this MR. After today we have 4096 bytes certificates , by tomorrow could be more. Should we put this variable more flexible ? |
I think the world is moving away from RSA certificates, so I'm not sure whether this is worth the trouble.. |
Thank you @jlaine , in the meantime of the RSA replacemnt, I will patch during deployment of aiortc to be in line with our constraint. |
Hi just saw our certificate is not RSA but ecdsa-with-SHA256 compliant, so update :p . And in that case the certificate returned by our Janus server is larger than the MTU. See attached Wireshark traces here ( #828 (comment) ) |
I am not able to read the .pcap file you provided, as your screenshot illustrates, Wireshark is unable to parse the DTLS messages so I have nothing to go on here. Unless you can provide me with a better way of reproducing this issue I'm going to have to close it. |
@jlaine I will try to generate similar certificate for the validation. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
With a Janus DTLS certificate with 4096 size, DTLS handshake goes in timeout, the transsaction never succeed.
a related issue was solved few year ago on janus side: meetecho/janus-gateway#252
after investiguation it appears that the ssl bio_read buffer is too small to read the full certificate.
see
aiortc/src/aiortc/rtcdtlstransport.py
Line 630 in d30b6f7
I do some test ad I suggest to increase the bio_read buffer size
from:
to a bigger value
It will solves also this closed issue: #346
an alternative but not tested, could be to read in a loop all the bio_read data, and send the full buffer after at
aiortc/src/aiortc/rtcdtlstransport.py
Line 634 in d30b6f7
The text was updated successfully, but these errors were encountered: