Closed Bug 1052610 Opened 6 years ago Closed 5 years ago

WebRTC: Allow more ciphers for DTLS 1.2 in Firefox Nightly 34.0a1 (cannot perform DTLS with OpenSSL)

Categories

(Core :: WebRTC: Networking, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: ibc, Assigned: mt)

References

()

Details

Attachments

(5 files, 3 obsolete files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Steps to reproduce:

WebRTC call from Firefox Nightly 34.0a1 (2014-08-12) to Chrome Android (which uses OpenSSL).


Actual results:

DTLS negotiation failure due to non-matching cipher in Chrome Android.


Expected results:

Firefox Nightly 34.0a1 (2014-08-12) sends DTLS 1.2 ClientHello with the following ciphers:

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

It can negotiate DTLS with Chrome desktop (which still uses NSS) but it fails to negotiate DTLS with Chrome Android or any other WebRTC agent using OpenSSL (even with the newest openssl 1.1.0-dev which supports DTLS 1.2).

In the other side, the current Firefox stable (31.0), which uses DTLS 1.0, can perform DTLS handshake with OpenSSL based WebRTC agents (for example Chrome Android). The list of ciphers in the DTLS 1.0 ClientHello of Firefox 31.0 are the following:

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

I suggest extending the list of available ciphers in Firefox 34.
Component: Untriaged → WebRTC: Networking
Product: Firefox → Core
Do we have a list of what ciphers Chrome for Android supports?
Keywords: regression
Yes and no, let me explain:

In OpenSSL last version 1.1.0-dev I set:

---------
Ctx = SSL_CTX_new(DTLS_method());  // This allows DTLS 1.0 and 1.2
SSL_CTX_set_cipher_list(ctx, "ALL:!eNULL:!aNULL");
---------

BY running the following command line command I get the list of ciphers for the above string (I use grep to filter those matching the ones available in Firefox 34):

---------
openssl ciphers -v ALL:\!eNULL:\!aNULL | grep SHA | grep -E "(128|256)" | grep -E "(ECDHE|DHE)"

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
---------

When Firefox 34 sends DTLS 1.2 ClientHello to Chrome 36 desktop (so NSS) Chrome replies ServerHello with the following selected cipher:

  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

and such a cipher is listed above in the openssl command output, but note that it is flagged as "SSLv3". I don't know whether that is the reason for OpenSSL to ignore it when the received DTLS ClientHello has version 1.2 instead of 1.0.

Said that, if you make a call from Firefox 34 to Chrome Android (so OpenSSL), thus Chrome becomes the DTLS agent, then you can capture the DTLS 1.0 ClientHello form Chrome (for example in Wireshark) and get the list of announced ciphers.
Sorry, I mean "if you make a call from Chrome Android to Firefox 34 [...]".
No, sorry again, I was right: it must be a call from Firefox 34 to Chrome Android. BTW I've done that and... it is surprising because in this case it does work (but not the opposite).

The DTLS 1.0 ClientHello sent by Chrome Android has those ciphers:

------------------------------
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)
                Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
                Cipher Suite: TLS_SRP_SHA_WITH_AES_256_CBC_SHA (0xc020)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)
                Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
                Cipher Suite: TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA (0xc01a)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)
                Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
------------------------------

and Firefox 34 replies ServerHello by choosing this cipher:

  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Keywords: regression
OS: Mac OS X → All
Hardware: x86 → All
This doesn't look like a problem on our end.  If Android were sending a ClientHello with only DHE suites, then we wouldn't be able to serve.  NSS doesn't support DHE server side, and probably won't until the DHE enumeration stuff is standardized and landed (that's a while out yet).

We have a common suite.  The chrome guys are looking into this, and they are on the server side where it seems like the fault most likely resides.  Let's wait to see what they find.
Just a comment (the original issue description is wrong as I see now): the problem happens to me in two cases:

1) When Firefox 34 sends DTLS 1.2 ClientHello to Chrome Android (OpenSSL - no idea which version).
2) When Firefox 34 sends DTLS 1.2 ClientHello to my own WebRTC server implementation (tested with OpenSSL 1.0.1i and 1.1.0-dev).

What I mean that this is not a problem in Chrome side, but in any WebRTC endpoint acting as DTLS server and using OpenSSL any-version.
I can confirm this same problem on my own WebRTC server using OpenSSL for DTLS-SRTP.  The handshake works fine in all version of chrome, and all Firefox prior to 34.0a1, but fails in 34.0a1.
Martin: I wonder if the NSS DTLS 1.2 implementation has a bug or
is somehow incompatible with the OpenSSL DTLS 1.2 implementation.

This should be easy to track down if we run the OpenSSL side in
a debugger. Do you know how to build Chromium on Linux with
OpenSSL instead of NSS? Just do

export GYP_DEFINES="use_openssl=1"

and then run "gclient runhooks" to regenerate the build files.
I'm unable to do that right now. What we should do is back out bug 996237 since we now have confirmation that others are seeing this issue. I'll get into fixing this as soon as I can.
This isn't a direct backout because that was too knarly to get right.
Attachment #8472545 - Flags: review?(ekr)
Re-enabling the ECDHE tests, disabling the GCM one.
Attachment #8472545 - Attachment is obsolete: true
Attachment #8472545 - Flags: review?(ekr)
Attachment #8472570 - Flags: review?(ekr)
Assignee: nobody → martin.thomson
Keywords: leave-open
Comment on attachment 8472570 [details] [diff] [review]
0001-Bug-1052610-Removing-cipher-suite-profiling.patch

Review of attachment 8472570 [details] [diff] [review]:
-----------------------------------------------------------------

I reviewed this on Rietveld:
LGTM with nits

https://codereview.appspot.com/129120043/diff/20001/media/mtransport/test/tra...
File media/mtransport/test/transport_unittests.cpp (right):

https://codereview.appspot.com/129120043/diff/20001/media/mtransport/test/tra...
media/mtransport/test/transport_unittests.cpp:924: //bug1052610
Please add a TODO here.

https://codereview.appspot.com/129120043/diff/20001/media/mtransport/test/tra...
media/mtransport/test/transport_unittests.cpp:1021: 
Spurious whitespace.

https://codereview.appspot.com/129120043/diff/20001/media/mtransport/transpor...
File media/mtransport/transportlayerdtls.cpp (right):

https://codereview.appspot.com/129120043/diff/20001/media/mtransport/transpor...
media/mtransport/transportlayerdtls.cpp:675: // not limited suite selection; bug
1052610
This comment could be cleaned up.
Attachment #8472570 - Flags: review?(ekr) → review+
r=ekr
Attachment #8472570 - Attachment is obsolete: true
Attachment #8472610 - Flags: review+
Adam, can you put this patch on your autolander please?  I'd like to ensure that this gets in quickly.
Flags: needinfo?(adam)
Attached patch Unbreak -WerrorSplinter Review
Not sure how this got by try's -Werror, but I'm hitting this in local testing. Fix an unused variable warning on mac by disabling the cypher list the code is not longer referencing.
Attachment #8473090 - Flags: review?(adam)
Comment on attachment 8473090 [details] [diff] [review]
Unbreak -Werror

I haven't really looked at this part of the code -- I suspect Martin could understand the implications at a glance, while I'd need to read through the earlier changes. Changing reviewer...
Attachment #8473090 - Flags: review?(adam) → review?(martin.thomson)
Let me confirm that today's Nightly correctly performs the DTLS handshake with OpenSSL based implementations.
Comment on attachment 8473090 [details] [diff] [review]
Unbreak -Werror

Review of attachment 8473090 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing my typo.

BTW, we should just run builds with -Werror so that this sort of mess doesn't happen.  Warnings are useless.
Attachment #8473090 - Flags: review?(martin.thomson) → review+
I've done some testing now after hacking Firefox to suppress connectivity checking.

The following openssl versions work, and negotiate TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
* OpenSSL 1.0.1e-fips 11 Feb 2013
* OpenSSL 1.1.0-dev xx XXX xxxx (git trunk)
* OpenSSL 1.0.1i 6 Aug 2014

I was unable to run Chromium; I'm now fetching webrtc.org code to see what I can manage.
https://hg.mozilla.org/integration/mozilla-inbound/rev/53bafa32a147

I thought we did run builds with -Werror, but maybe that's just inbound? I have ac_add_options --enable-warnings-as-errors to catch these things. I think it still only sets -Werror on directories where FAIL_ON_WARNINGS = True is in the moz.build.

-Werror everywhere by default is annoying for contributors because random compiler differences can break the build.
(In reply to Ralph Giles (:rillian) from comment #22)
> I thought we did run builds with -Werror, but maybe that's just inbound?

Yep (not just inbound, all trees)

> I think it still only sets -Werror on directories where FAIL_ON_WARNINGS =
> True is in the moz.build.

Correct.  That should be the case here, though -- looks like this file is built by
http://mxr.mozilla.org/mozilla-central/source/media/mtransport/objs.mozbuild
which is included by
http://mxr.mozilla.org/mozilla-central/source/media/mtransport/build/moz.build
which has FAIL_ON_WARNINGS = True

If this broke local opted-in builds but didn't break TBPL, that's probably because TBPL is using an older compiler version that doesn't warn about unused file-global static const variables.  (IIRC, clang only recently started warning about that, and I'm not sure GCC does at all)

> -Werror everywhere by default is annoying for contributors because random
> compiler differences can break the build.

(yup, the goal is for people to be able to successfully build locally, even if their compiler has some obscure warning we've never seen before. That's why it's opt-in. And our TBPL builders are opted in, in their mozconfigs, to catch introductions of warnings.)
Iñaki, I can't reproduce the error you are seeing in your OpenSSL-based implementation. 

Do you have either some more information that you can provide, or can you point me at something that I can build and run?

I thought that webrtc.org would work, but it's only got some badly neglected sample code.  I'll have to spend some time fixing it.
Martin, just to clarify: as said in a comment above I cannot reproduce the error in today's Nightly, this is, it negotiates DTLS with OpenSSL based implementations (my server and Chrome Android) correctly.

Then, do you need more info or data? :)
Iñaki, if you can run a test with the broken nightly and capture the packets, that would help a great deal.  A wireshark or tcpdump packet capture would be ideal.  If you need a build that contains 1.2 and the limited set of suites, let me know.  You should be able to find the nightly build on ftp.mozilla.org though.
OK, will do that tomorrow.
Duplicate of this bug: 1054075
Iñaki, any chance you could help us out with that capture?
Flags: needinfo?(ibc)
Hi Martin, sorry for the delay (holidays). I don't know which exact version to download to get the Nightly version as it was in 2014-08-12. I see too much different releases with that date. May you please send me the exact link in ftp://ftp.mozilla.org/pub/firefox/nightly/?
Flags: needinfo?(ibc)
Firefox sends DTLS ClientHello 1.2 to my OpenSSL based server. The handshake fails in server side:

SSL_ERROR_SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

The list of ciphers in the server are the same as in Chrome Android (OpenSSL):

SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
Firefox sends DTLS ClientHello 1.2 to Chrome Android (OpenSSL based). The handshake is also rejected by server side (Chrome).
Inaki,

Can you tell us exactly what line of code of OpenSSL this is being
generated? Are you able to get this in the debugger?
My DLTS settings (in my server) are similar to what Chrome does (in the OpenSSL version, so Android for now):

-------------------------
ctx = SSL_CTX_new(DTLSv1_method());
[certificate stuff]
SSL_CTX_set_info_callback(ctx, on_ssl_info);
SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
SSL_CTX_set_tlsext_use_srtp(...);

ssl = SSL_new(ctx);
[Bio memory stuff]
SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);

// DTLS data received:
BIO_write(sslBioFromNetwork, data, len);
read = SSL_read(>ssl, sslReadBuffer, SSL_READ_BUFFER_SIZE);
SendPendingOutgoingDTLSData();

// Check SSL status:
if ((SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) || err == SSL_ERROR_SSL || err == SSL_ERROR_SYSCALL) {
  SSL_shutdown(ssl);
  SendPendingOutgoingDTLSData();  // BIO_read(sslBioToNetwork) stuff
}
--------------------


The OpenSSL error above:

SSL_ERROR_SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

is generated after SSL_read(). I check SSL_get_error(ssl, ssl_read_error_code) and get SSL_ERROR_SSL, and then I also log ERR_error_string(ERR_get_error()) which gives such an error description.


> Are you able to get this in the debugger?

Sorry, which debugger do you mean?


BTW the issue is easily reproducible by making a WebRTC call from Chrome-Android to Firefox 34.0a1 [*] (so Firefox becomes the DTLS client).

[*] ftp://ftp.mozilla.org/pub/firefox/nightly/2014-08-12-mozilla-central-debug/firefox-34.0a1.en-US.debug-mac64.dmg
(In reply to Iñaki Baz Castillo from comment #36)
> My DLTS settings (in my server) are similar to what Chrome does (in the
> OpenSSL version, so Android for now):
> 
> -------------------------
> ctx = SSL_CTX_new(DTLSv1_method());
> [certificate stuff]
> SSL_CTX_set_info_callback(ctx, on_ssl_info);
> SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
> SSL_CTX_set_tlsext_use_srtp(...);
> 
> ssl = SSL_new(ctx);
> [Bio memory stuff]
> SSL_set_accept_state(ssl);
> SSL_do_handshake(ssl);
> 
> // DTLS data received:
> BIO_write(sslBioFromNetwork, data, len);
> read = SSL_read(>ssl, sslReadBuffer, SSL_READ_BUFFER_SIZE);
> SendPendingOutgoingDTLSData();
> 
> // Check SSL status:
> if ((SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) || err == SSL_ERROR_SSL
> || err == SSL_ERROR_SYSCALL) {
>   SSL_shutdown(ssl);
>   SendPendingOutgoingDTLSData();  // BIO_read(sslBioToNetwork) stuff
> }
> --------------------
> 
> 
> The OpenSSL error above:
> 
> SSL_ERROR_SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher
> 
> is generated after SSL_read(). I check SSL_get_error(ssl,
> ssl_read_error_code) and get SSL_ERROR_SSL, and then I also log
> ERR_error_string(ERR_get_error()) which gives such an error description.

Right, but it's happening, as the error indicates, in ssl3_get_client_hello.
I'm hoping you can step through and find out where exactly it happens and
what the context is.

> 
> > Are you able to get this in the debugger?
> 
> Sorry, which debugger do you mean?

gdb or lldb/

> 
> BTW the issue is easily reproducible by making a WebRTC call from
> Chrome-Android to Firefox 34.0a1 [*] (so Firefox becomes the DTLS client).
> 
> [*]
> ftp://ftp.mozilla.org/pub/firefox/nightly/2014-08-12-mozilla-central-debug/
> firefox-34.0a1.en-US.debug-mac64.dmg
Not sure if the following is useful (I will try to get more by inspecting the OpenSSL SSL_get_ciphers() function which is the cause of the problem.

I've enabled CIPHER_DEBUG in OpenSSL 1.1.0-dev. Those are the related logs in my server when receiving the DTLS 1.2 ClientHello form Firefox 34.0a1:


----------------
DEBUG:  [worker #1] RTC::Transport::onICEValidPair() | running DTLS handler in server role
DEBUG:  [worker #1] RTC::DTLSHandler::onSSLInfo() | DTLS handshake start
DEBUG:  [worker #1] RTC::DTLSHandler::onSSLInfo() | role: server | action: before/accept initialization
DEBUG:  [worker #1] RTC::DTLSHandler::onSSLInfo() | role: server | waiting for: SSLv3 read client hello B
DEBUG:  [worker #1] RTC::UDPSocket::userOnUDPDatagramRecv() | 141 bytes datagram received [local: MY_IP : 10021 | remote: MY_IP : 65062]
DEBUG:  [worker #1] RTC::Transport::onDTLSDataRecv() | DTLS data received via UDP, passing it to the DTLSHandler

// OpenSSL CIPHER_DEBUG stuff after calling SSL_read():
Server has 112 from 0x7ffe99e00790:
0x10ec2fc98:ECDHE-RSA-AES256-GCM-SHA384
0x10ec2fb38:ECDHE-ECDSA-AES256-GCM-SHA384
0x10ec2f9d8:ECDHE-RSA-AES256-SHA384
0x10ec2f878:ECDHE-ECDSA-AES256-SHA384
0x10ec2f2f8:ECDHE-RSA-AES256-SHA
0x10ec2ef88:ECDHE-ECDSA-AES256-SHA
0x10ec2f7c8:SRP-DSS-AES-256-CBC-SHA
0x10ec2f770:SRP-RSA-AES-256-CBC-SHA
0x10ec2f718:SRP-AES-256-CBC-SHA
0x10ec2e748:DH-DSS-AES256-GCM-SHA384
0x10ec2e698:DHE-DSS-AES256-GCM-SHA384
0x10ec2e5e8:DH-RSA-AES256-GCM-SHA384
0x10ec2e538:DHE-RSA-AES256-GCM-SHA384
0x10ec2dc48:DHE-RSA-AES256-SHA256
0x10ec2dbf0:DHE-DSS-AES256-SHA256
0x10ec2db98:DH-RSA-AES256-SHA256
0x10ec2db40:DH-DSS-AES256-SHA256
0x10ec2d618:DHE-RSA-AES256-SHA
0x10ec2d5c0:DHE-DSS-AES256-SHA
0x10ec2d568:DH-RSA-AES256-SHA
0x10ec2d510:DH-DSS-AES256-SHA
0x10ec2ff58:ECDHE-RSA-CAMELLIA256-SHA384
0x10ec2fdf8:ECDHE-ECDSA-CAMELLIA256-SHA384
0x10ec2ebc0:DHE-RSA-CAMELLIA256-SHA256
0x10ec2eb68:DHE-DSS-CAMELLIA256-SHA256
0x10ec2eb10:DH-RSA-CAMELLIA256-SHA256
0x10ec2eab8:DH-DSS-CAMELLIA256-SHA256
0x10ec2e010:DHE-RSA-CAMELLIA256-SHA
0x10ec2dfb8:DHE-DSS-CAMELLIA256-SHA
0x10ec2df60:DH-RSA-CAMELLIA256-SHA
0x10ec2df08:DH-DSS-CAMELLIA256-SHA
0x10ec2f4b0:AECDH-AES256-SHA
0x10ec2fd48:ECDH-RSA-AES256-GCM-SHA384
0x10ec2fbe8:ECDH-ECDSA-AES256-GCM-SHA384
0x10ec2fa88:ECDH-RSA-AES256-SHA384
0x10ec2f928:ECDH-ECDSA-AES256-SHA384
0x10ec2f140:ECDH-RSA-AES256-SHA
0x10ec2edd0:ECDH-ECDSA-AES256-SHA
0x10ec30008:ECDH-RSA-CAMELLIA256-SHA384
0x10ec2fea8:ECDH-ECDSA-CAMELLIA256-SHA384
0x10ec2e488:AES256-GCM-SHA384
0x10ec2d778:AES256-SHA256
0x10ec2d4b8:AES256-SHA
0x10ec2ea60:CAMELLIA256-SHA256
0x10ec2deb0:CAMELLIA256-SHA
0x10ec2e1c8:PSK-AES256-CBC-SHA
0x10ec2fc40:ECDHE-RSA-AES128-GCM-SHA256
0x10ec2fae0:ECDHE-ECDSA-AES128-GCM-SHA256
0x10ec2f980:ECDHE-RSA-AES128-SHA256
0x10ec2f820:ECDHE-ECDSA-AES128-SHA256
0x10ec2f2a0:ECDHE-RSA-AES128-SHA
0x10ec2ef30:ECDHE-ECDSA-AES128-SHA
0x10ec2f6c0:SRP-DSS-AES-128-CBC-SHA
0x10ec2f668:SRP-RSA-AES-128-CBC-SHA
0x10ec2f610:SRP-AES-128-CBC-SHA
0x10ec2e6f0:DH-DSS-AES128-GCM-SHA256
0x10ec2e640:DHE-DSS-AES128-GCM-SHA256
0x10ec2e590:DH-RSA-AES128-GCM-SHA256
0x10ec2e4e0:DHE-RSA-AES128-GCM-SHA256
0x10ec2dae8:DHE-RSA-AES128-SHA256
0x10ec2d880:DHE-DSS-AES128-SHA256
0x10ec2d828:DH-RSA-AES128-SHA256
0x10ec2d7d0:DH-DSS-AES128-SHA256
0x10ec2d408:DHE-RSA-AES128-SHA
0x10ec2d3b0:DHE-DSS-AES128-SHA
0x10ec2d358:DH-RSA-AES128-SHA
0x10ec2d300:DH-DSS-AES128-SHA
0x10ec2ff00:ECDHE-RSA-CAMELLIA128-SHA256
0x10ec2fda0:ECDHE-ECDSA-CAMELLIA128-SHA256
0x10ec2e9b0:DHE-RSA-CAMELLIA128-SHA256
0x10ec2e958:DHE-DSS-CAMELLIA128-SHA256
0x10ec2e900:DH-RSA-CAMELLIA128-SHA256
0x10ec2e8a8:DH-DSS-CAMELLIA128-SHA256
0x10ec2e380:DHE-RSA-SEED-SHA
0x10ec2e328:DHE-DSS-SEED-SHA
0x10ec2e2d0:DH-RSA-SEED-SHA
0x10ec2e278:DH-DSS-SEED-SHA
0x10ec2da38:DHE-RSA-CAMELLIA128-SHA
0x10ec2d9e0:DHE-DSS-CAMELLIA128-SHA
0x10ec2d988:DH-RSA-CAMELLIA128-SHA
0x10ec2d930:DH-DSS-CAMELLIA128-SHA
0x10ec2f458:AECDH-AES128-SHA
0x10ec2fcf0:ECDH-RSA-AES128-GCM-SHA256
0x10ec2fb90:ECDH-ECDSA-AES128-GCM-SHA256
0x10ec2fa30:ECDH-RSA-AES128-SHA256
0x10ec2f8d0:ECDH-ECDSA-AES128-SHA256
0x10ec2f0e8:ECDH-RSA-AES128-SHA
0x10ec2ed78:ECDH-ECDSA-AES128-SHA
0x10ec2ffb0:ECDH-RSA-CAMELLIA128-SHA256
0x10ec2fe50:ECDH-ECDSA-CAMELLIA128-SHA256
0x10ec2e430:AES128-GCM-SHA256
0x10ec2d720:AES128-SHA256
0x10ec2d2a8:AES128-SHA
0x10ec2e850:CAMELLIA128-SHA256
0x10ec2e220:SEED-SHA
0x10ec2d8d8:CAMELLIA128-SHA
0x10ec2cb70:IDEA-CBC-SHA
0x10ec2e170:PSK-AES128-CBC-SHA
0x10ec2f248:ECDHE-RSA-DES-CBC3-SHA
0x10ec2eed8:ECDHE-ECDSA-DES-CBC3-SHA
0x10ec2f5b8:SRP-DSS-3DES-EDE-CBC-SHA
0x10ec2f560:SRP-RSA-3DES-EDE-CBC-SHA
0x10ec2f508:SRP-3DES-EDE-CBC-SHA
0x10ec2d098:DHE-RSA-DES-CBC3-SHA
0x10ec2cf90:DHE-DSS-DES-CBC3-SHA
0x10ec2ce88:DH-RSA-DES-CBC3-SHA
0x10ec2cd80:DH-DSS-DES-CBC3-SHA
0x10ec2f400:AECDH-DES-CBC3-SHA
0x10ec2f090:ECDH-RSA-DES-CBC3-SHA
0x10ec2ed20:ECDH-ECDSA-DES-CBC3-SHA
0x10ec2cc78:DES-CBC3-SHA
0x10ec2e118:PSK-3DES-EDE-CBC-SHA

Client sent 9 from 0x7ffe99e00a10:
0x10ec2fae0:ECDHE-ECDSA-AES128-GCM-SHA256
0x10ec2fc40:ECDHE-RSA-AES128-GCM-SHA256
0x10ec2ef88:ECDHE-ECDSA-AES256-SHA
0x10ec2ef30:ECDHE-ECDSA-AES128-SHA
0x10ec2f2a0:ECDHE-RSA-AES128-SHA
0x10ec2f2f8:ECDHE-RSA-AES256-SHA
0x10ec2d408:DHE-RSA-AES128-SHA
0x10ec2d3b0:DHE-DSS-AES128-SHA
0x10ec2d618:DHE-RSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000001:00000101:00000085]0x10ec2f2f8:ECDHE-RSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000101:00000085]0x10ec2ef88:ECDHE-ECDSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000101:00000085]0x10ec2f7c8:SRP-DSS-AES-256-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000101:00000085]0x10ec2f770:SRP-RSA-AES-256-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000400:00000101:00000085]0x10ec2f718:SRP-AES-256-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2d618:DHE-RSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2d5c0:DHE-DSS-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2d568:DH-RSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2d510:DH-DSS-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2e010:DHE-RSA-CAMELLIA256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2dfb8:DHE-DSS-CAMELLIA256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2df60:DH-RSA-CAMELLIA256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2df08:DH-DSS-CAMELLIA256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000004:00000101:00000085]0x10ec2f4b0:AECDH-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000020:00000010:00000101:00000085]0x10ec2f140:ECDH-RSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000040:00000010:00000101:00000085]0x10ec2edd0:ECDH-ECDSA-AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2d4b8:AES256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2deb0:CAMELLIA256-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000001:00000101:00000085]0x10ec2f2a0:ECDHE-RSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000101:00000085]0x10ec2ef30:ECDHE-ECDSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000101:00000085]0x10ec2f6c0:SRP-DSS-AES-128-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000101:00000085]0x10ec2f668:SRP-RSA-AES-128-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000400:00000101:00000085]0x10ec2f610:SRP-AES-128-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2d408:DHE-RSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2d3b0:DHE-DSS-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2d358:DH-RSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2d300:DH-DSS-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2e380:DHE-RSA-SEED-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2e328:DHE-DSS-SEED-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2e2d0:DH-RSA-SEED-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2e278:DH-DSS-SEED-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2da38:DHE-RSA-CAMELLIA128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2d9e0:DHE-DSS-CAMELLIA128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2d988:DH-RSA-CAMELLIA128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2d930:DH-DSS-CAMELLIA128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000004:00000101:00000085]0x10ec2f458:AECDH-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000020:00000010:00000101:00000085]0x10ec2f0e8:ECDH-RSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000040:00000010:00000101:00000085]0x10ec2ed78:ECDH-ECDSA-AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2d2a8:AES128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2e220:SEED-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2d8d8:CAMELLIA128-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2cb70:IDEA-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000001:00000101:00000085]0x10ec2f248:ECDHE-RSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000101:00000085]0x10ec2eed8:ECDHE-ECDSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000002:00000101:00000085]0x10ec2f5b8:SRP-DSS-3DES-EDE-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000001:00000101:00000085]0x10ec2f560:SRP-RSA-3DES-EDE-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000400:00000400:00000101:00000085]0x10ec2f508:SRP-3DES-EDE-CBC-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000001:00000101:00000085]0x10ec2d098:DHE-RSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000008:00000002:00000101:00000085]0x10ec2cf90:DHE-DSS-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000002:00000008:00000101:00000085]0x10ec2ce88:DH-RSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000004:00000008:00000101:00000085]0x10ec2cd80:DH-DSS-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000004:00000101:00000085]0x10ec2f400:AECDH-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000020:00000010:00000101:00000085]0x10ec2f090:ECDH-RSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000040:00000010:00000101:00000085]0x10ec2ed20:ECDH-ECDSA-DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
1:[00000001:00000001:00000101:00000085]0x10ec2cc78:DES-CBC3-SHA
rt=0 rte=0 dht=0 ecdht=0 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0

DEBUG:  [worker #1] RTC::DTLSHandler::onSSLInfo() | sending DTLS fatal alert: handshake failure
DEBUG:  [worker #1] RTC::DTLSHandler::onSSLInfo() | role: server | waiting for: SSLv3 read client hello C
DEBUG:  [worker #1] RTC::DTLSHandler::SendPendingOutgoingDTLSData() | 15 bytes of DTLS data ready to sent to the peer
ERROR:  [worker #1] RTC::DTLSHandler::CheckStatus() | OpenSSL error | SSL status: SSL_ERROR_SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
NOTICE: [worker #1] RTC::DTLSHandler::CheckStatus() | DTLS connection failed
DEBUG:  [worker #1] RTC::Transport::onDTLSFailed() | DTLS failed
----------------
Sorry, I don't even get OpenSSL to be compiled with debug symbols (despite I've followed the steps for that) so I see nothing in lldb. I'm not sure but I expect that the following OpenSSL code could be related:


ssl/s3_libs.c line 4472:
-------------------------
     /* Skip TLS v1.2 only ciphersuites if not supported */
     if ((c->algorithm_ssl & SSL_TLSV1_2) &&
           !SSL_USE_TLS1_2_CIPHERS(s))
           continue;
-------------------------
Looks like David found the problem and he has a simple fix:

https://code.google.com/p/chromium/issues/detail?id=406458

I'm going to land a fix to re-enable DTLS 1.2 and then we will wait for that fix to hit a Chrome release.  Then we're switching PFS back on.

For now, if you care about PFS and you have an openssl- or boringssl-based Chrome or WebRTC, have Firefox act in the server role (usually, that's Firefox sending the offer).
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Confirmed that SSL_CTX_set_ecdh_auto(ctx, 1) works so the DTLS1.2 ClientHello from Firefox 34.0a1 is accepted.
Duplicate of this bug: 798943
Attached file MozReview Request: bz://1052610/mt (obsolete) —
Attachment #8542198 - Flags: review?(ekr)
/r/1753 - Bug 1052610 - Disabling non-PFS cipher suites

Pull down this commit:

hg pull review -r 559b226f73d8178b2efbd21776e6f7e07791ab0c
Attachment #8542198 - Flags: review?(ekr) → review+
I should have dropped the `leave-open`.  This is fixed now.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Keywords: leave-open
Resolution: --- → FIXED
Is this fix going into FF37?
MT is on vacation, but I think there may be some confusion here.

We initially restricted the list of ciphers that we used for DTLS
and then discovered it was creating interop problems. We backed
out that change:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8ee163409ca1


Now that Chrome has been updated, the change has been re-landed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/47d9e690f4a9

So "fixed" means "expect other sides to have upgraded"
Depends on: 1132813
Blocks: 1134437
See Also: → 1158343
Depends on: 1167066
Attachment #8542198 - Attachment is obsolete: true
Attachment #8618273 - Flags: review+
You need to log in before you can comment on or make changes to this bug.