Closed
Bug 1510487
Opened 7 years ago
Closed 7 years ago
DTLS without SRTP extension (for datachannel only) closes connection
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox64 | --- | wontfix |
| firefox65 | --- | fixed |
| firefox66 | --- | fixed |
People
(Reporter: stapatrick9, Assigned: drno, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Attachments
(3 files, 1 obsolete file)
|
10.58 KB,
text/plain
|
Details | |
|
6.54 KB,
application/octet-stream
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Steps to reproduce:
Connect to Firefox 64 datachannel session through webrtc.
The remote/local SDP is attached.
Actual results:
The DTLS exchange failed. Specifically after the DTLS certificate message is send, the remote DTLS server connection closes. Our Native DTLS exchange that we capture in our native stack is also attached.
Expected results:
I expected DTLS exchange to pass with datachannels. Did something change in Firefox 64 that could effect this?(maybe in the sdp ,DTLS or SCTP). I will attach a success version of DTLS exchange when connected to chrome (or firefox 63).
Our data channel native stack connects fine with firefox 63 and before. It also working fine with Chrome. The DTLS exchange works fine with Audio/Video connection in firefox 64 also.
|
||
Comment 1•7 years ago
|
||
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Component: Untriaged → WebRTC
Product: Firefox → Core
|
Reporter | |
Comment 2•7 years ago
|
||
(In reply to undefined from comment #undefined)
>
Thanks
|
|
Reporter | |
Comment 3•7 years ago
|
||
This is the wireShark pcapng file from the failted datachannels dtls exchange with firefox 64. 192.168.124.173 is firefox in this case.
|
|
Reporter | |
Comment 4•7 years ago
|
||
We found that there is bug in firefox 64 where if connections with only data streams that don’t negotiate an SRTP profiles are immediately closed after the DTLS handshake completes.
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Component: WebRTC → WebRTC: Networking
Ever confirmed: true
|
||
Comment 6•7 years ago
|
||
Thanks stapatrick9 for the 63-64 log comparison!
If this readily reproduces, would you be able to use the mozregression tool [1] to narrow down the regression range further?
The only datachannel-related WebRTC change I see in 64 release [1], appears to be bug 1051685, though it's not clear to me how it could be affected.
[1] https://mozilla.github.io/mozregression/
[2] https://bugzilla.mozilla.org/buglist.cgi?list_id=14470550&columnlist=cf_rank%2Cshort_desc%2Cstatus_whiteboard%2Cassigned_to%2Cbug_status%2Cpriority%2Ccf_fx_points%2Cchangeddate%2Ccomponent&resolution=FIXED&query_based_on=64%20release&query_format=advanced&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&component=WebRTC&component=WebRTC%3A%20Audio%2FVideo&component=WebRTC%3A%20Networking&component=WebRTC%3A%20Signaling&target_milestone=mozilla64&product=Core&known_name=64%20release
Flags: needinfo?(jib) → needinfo?(stapatrick9)
|
|
||
Comment 7•7 years ago
|
||
Could LiveSwitch be objecting to the new SCTP window? Nils, WDYT?
Flags: needinfo?(drno)
|
Assignee | |
Comment 8•7 years ago
|
||
No this is not caused by the window size.
Most likely it's the code from bug 1485883 which is causing this.
@mt: looks like we over looked a legit use case for not negotiating any SRTP profiles with DTLS, when you only want to negotiate a data channel only. Do you think this is covered by the specs in any way?
Assuming for now this a regression and setting therefore high priority.
Depends on: 1485883
Flags: needinfo?(drno) → needinfo?(martin.thomson)
Keywords: regression
Priority: -- → P1
|
||
Comment 9•7 years ago
|
||
I'm surprised that this is a problem. An error in DTLS will result in an error in the SRTP layer. I think that we were previously ignoring failures from the SRTP negotiation. If so, then what I will attach will likely work.
I had a look at the code here and removing the check changes the guarantees that TransportLayerDtls provides. Basically, if we offer SRTP (which we always do), and the peer doesn't accept it because it expects to only be using data channels, then we will die later. We don't conditionally add TransportLayerSrtp based on the availability of SRTP.
I have some changes (attached), but no time to go over them carefully. I don't build gecko often enough and I'm currently stuck upgrading all sorts of things to allow it to build. So I haven't tested this. I think that we'll want lots of tests around this to be sure that we don't regress more.
Flags: needinfo?(martin.thomson)
|
|
Assignee | |
Comment 10•7 years ago
|
||
|
|
Assignee | |
Comment 11•7 years ago
|
||
|
|
Assignee | |
Comment 12•7 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #9)
> I had a look at the code here and removing the check changes the guarantees
> that TransportLayerDtls provides. Basically, if we offer SRTP (which we
> always do), and the peer doesn't accept it because it expects to only be
> using data channels, then we will die later. We don't conditionally add
> TransportLayerSrtp based on the availability of SRTP.
Maybe this is the right thing to do going forward: only offer SRTP extensions if the transport contains audio or video. And then also only insert TransportLayerSrtp if it's needed. I think the biggest issue is at which layer to figure out if SRTP is needed or not and then pass it down to the transportlayer code.
The other question is: if we would no longer offer SRTP extension in DTLS for datachannel only transport how many implementations would barf?
I guess the less problematic option would to continue to negotiate the SRTP extension, but simply not insert TransportLayerSrtp if we know it a data channel only transport.
> I have some changes (attached), but no time to go over them carefully. I
> don't build gecko often enough and I'm currently stuck upgrading all sorts
> of things to allow it to build. So I haven't tested this. I think that
> we'll want lots of tests around this to be sure that we don't regress more.
Thanks for the patch. It turns out that your last patch already had tests for both situations (client not offering SRTP and server not accepting SRTP), but they expected to fail. So I think that was simply the wrong expectation.
Unfortunately it looks like the TransportLayerSrtp code itself doesn't have any test coverage, except indirectly through mochitests. But these don't handle the non SRTP scenario. I guess in this case we would want to have a combined test of TransportLayerSrtp and TransportLayerDtls.
I think we should land as is for now and request uplift to Beta to fix this regression. And then take care of improvements in follow up bugs which ride the trains.
|
|
Assignee | |
Updated•7 years ago
|
Summary: DTLS Exchange closing connection - datachannel Webrtc → DTLS without SRTP extension (for datachannel only) closes connection
|
||
Updated•7 years ago
|
status-firefox64:
--- → wontfix
status-firefox65:
--- → affected
status-firefox66:
--- → affected
status-firefox-esr60:
--- → unaffected
|
||
Comment 14•7 years ago
|
||
I've added a review comment, this is pretty close to being able to land, but Nils owns the patch.
Flags: needinfo?(docfaraday)
|
||
Comment 16•7 years ago
|
||
Is this close to ready to land? Tomorrow's the final Beta of the Fx65 cycle.
|
|
Assignee | |
Comment 17•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #16)
Is this close to ready to land? Tomorrow's the final Beta of the Fx65 cycle.
Yes I can get it in today.
Flags: needinfo?(drno)
|
|
Assignee | |
Comment 18•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Attachment #9031339 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 19•7 years ago
|
||
Comment on attachment 9031730 [details]
Bug 1510487: allow DTLS connection w/o SRTP extension. r?bwc
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Bug 1485883
User impact if declined: For certain WebRTC services Data Channel connections fail to establish (it depends on how the service negotiates the connection on the DTLS layer).
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: No
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): It only removes an error check introduced by bug 1485883. Also the scenario which triggers this not very common.
String changes made/needed: N/A
Attachment #9031730 -
Flags: approval-mozilla-beta?
|
||
Comment 20•7 years ago
|
||
Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8fb54b5db199
allow DTLS connection w/o SRTP extension. r=bwc
|
||
Comment 21•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
|
||
Comment 22•7 years ago
|
||
Comment on attachment 9031730 [details]
Bug 1510487: allow DTLS connection w/o SRTP extension. r?bwc
[Triage Comment]
Fixes Data Channel connection failures for certain WebRTC services. Approved for 65.0b12.
Attachment #9031730 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 23•7 years ago
|
||
| bugherder uplift | ||
Flags: in-testsuite+
|
|
Assignee | |
Comment 24•7 years ago
|
||
Can you verify that the latest Firefox Beta build fixes the issue for you?
Flags: needinfo?(stapatrick9)
|
||
Comment 25•7 years ago
|
||
Yes, the issue is fixed in Firefox 65.0b12!
You need to log in
before you can comment on or make changes to this bug.
Description
•