WebRTC stopped working after Chrome update


(Sam Shomi) #1

Anyone else? I am using the latest Asterisk v13 and FreePBX v13 on CentOS 6 fully yum updated. Not the distro. WebRTC was working on Chrome up until I installed a Chrome update that was release on Nov 17. v87.0.4280.66 64bit

Now it immediately hangs up with error

DTLS failure occurred on RTP instance ‘0xb670c7b4’ due to reason ‘tlsv1 alert protocol version’, terminating.

WebRTC still works with latest Firefox so it appears to just be when I use Chrome.

Apache “ssl.conf” is the one that FreePBX sysadmin installs. I re-installed it by running /var/www/html/admin/modules/sysadmin/hooks/update-sslconf

just to be sure it’s the latest one. The letsencrypt certficate was also renewed using certificate manager. I also tried disabling and re-enabling WebRTC for the extension in “User Management” and manually verified the WebRTC extension (99xxx) points to the certificate files in /etc/asterisk/sip_additional.conf. I have also set the permissions using “fwconsole chown” and manually verified.

So I am still fairly sure it’s related to the Chrome update but would like to know if anyone else is seeing the same thing.

The OpenSSL version is “openssl-1.0.1e-58.el6_10.i686” which does support TLS v.1.2


(Joshua C. Colp) #2

TLS and DTLS are two separate things within OpenSSL. Support for DTLS 1.2 (which Chrome now requires) was added as of OpenSSL 1.0.2, and would not be present in 1.0.1e.


(Sam Shomi) #3

Thank you for the info. I’ll try recompile Asterisk against openssl v1.0.2 source files and see if that fixes it. Assuming that is possible without dependency problems.


(Joshua C. Colp) #4

Asterisk will need to rebuilt to be aware of the new OpenSSL to enable the support.


(Sam Shomi) #5

Thanks for clarifying. I edited my previous comment to say recompile asterisk against openssl 1.0.2 source.


(Giuseppe) #6

Hi all
I working with

  • Asterisk-11.19.0
  • Centos 7.9
  • openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017

but I have the same problems:
res_rtp_asterisk.c: DTLS failure occurred on RTP instance ‘0x7f057801f5c8’ due to reason ‘tlsv1 alert protocol version’, terminating

Do you know any solution or workaround?

Thanks
Giusueppe.


(Joshua C. Colp) #7

Asterisk 11.19.0 does not have support for using DTLS 1.2 if available. You would need to upgrade.


(Sam Shomi) #8

Hi,

I couldn’t get PJSIP bundle to compile with openssl 1.0.2 installed from source. It may be the locations of the compiled files being different from openssl and openssl-devel rpms so I am still working on figuring that out.

Do you know what switch I should be looking for in config.log to indicated the precompile ./configure script detected DTLS v1.2 support?

I see the following OPENSSL related flags

OPENSSL_LIB=’ -lssl -lcrypto’
PBX_OPENSSL=‘1’
PBX_OPENSSL_BIO_METHOD=‘0’
PBX_OPENSSL_SRTP=‘0’


(Joshua C. Colp) #9

The configure script doesn’t check for it. The res_rtp_asterisk module does a version check[1] of the OpenSSL headers when building to determine whether to use DTLSv1 only or not.

[1] https://github.com/asterisk/asterisk/blob/13/res/res_rtp_asterisk.c#L1733


(Sam Shomi) #10

Is there a post compile check? You seem to be indicating asterisk only cares what version the /usr/bin/openssl binary is and it is not related to openssl-devel files (*.h). I did change that to the v1.0.2 binary, restarted apache and ran “openssl version” to verify it was v1.0.2 and then recompiled asterisk but chrome was still failing with the same error.


(Joshua C. Colp) #11

Not the version of the binary. Asterisk includes the OpenSSL headers and is built against them. It is that which is checked, and then it is linked against the OpenSSL library on the system.


(Sam Shomi) #12

Thank you. Very helpful info. I will keep plugging away at it.


(Giuseppe) #13

Thanks so much for your kind help.

What is the minimum version to upgrade asterisk to to have DTLS 1.2 ?

Thanks
Giuseppe.


(Joshua C. Colp) #14

I don’t know that off the top of my head. I know current supported versions have it.


(Alo) #15

I am also having trouble with this google chrome update. I have used both asterisk 11 and asterisk 13. but if I use a new OS then both asterisk 11 and asterisk 13 work. So I am pretty sure its not related to the asterisk version but maybe open ssl version? Using OpenSSL 1.0.1i-fips 6 Aug 2014


(Joshua C. Colp) #16

As I stated in a previous comment Chrome now requires DTLS 1.2 which is available as of OpenSSL 1.0.2.


(Alo) #17

Boom. I thought I had already updated but that was totally it.
You are a Great man and Have greatly improved my current life. I am thankfully to you!


(Lucas Ryan) #18

Is there an update I can run on a FreePBX13 Distro version (with asterisk 13) to allow this to work?


(Darren Hollick) #19

Yes please!!! I have many FreePBX 13 Sangoma Distro installs… is there a patch for them?


(Matthew Fredrickson) #20

Unfortunately FreePBX 13 and the original distro it ran on (SNG6, IIRC) are very old and aren’t really receiving signifiant updates at this point. This is a bit of hard news for you, but it might be the appropriate time to consider updating to a newer distro.

Also, Asterisk 13 just went security fix only mode, so moving to a currently supported version of Asterisk (like 16) is probably also a good idea.

Sorry to break the bad news.

Matthew Fredrickson