Anyone else? I am using the latest Asterisk v13 and FreePBX v13 on CentOS 6 fully yum updated. Not the distro. WebRTC was working on Chrome up until I installed a Chrome update that was release on Nov 17. v87.0.4280.66 64bit
Now it immediately hangs up with error
DTLS failure occurred on RTP instance ‘0xb670c7b4’ due to reason ‘tlsv1 alert protocol version’, terminating.
WebRTC still works with latest Firefox so it appears to just be when I use Chrome.
Apache “ssl.conf” is the one that FreePBX sysadmin installs. I re-installed it by running /var/www/html/admin/modules/sysadmin/hooks/update-sslconf
just to be sure it’s the latest one. The letsencrypt certficate was also renewed using certificate manager. I also tried disabling and re-enabling WebRTC for the extension in “User Management” and manually verified the WebRTC extension (99xxx) points to the certificate files in /etc/asterisk/sip_additional.conf. I have also set the permissions using “fwconsole chown” and manually verified.
So I am still fairly sure it’s related to the Chrome update but would like to know if anyone else is seeing the same thing.
The OpenSSL version is “openssl-1.0.1e-58.el6_10.i686” which does support TLS v.1.2
TLS and DTLS are two separate things within OpenSSL. Support for DTLS 1.2 (which Chrome now requires) was added as of OpenSSL 1.0.2, and would not be present in 1.0.1e.
Thank you for the info. I’ll try recompile Asterisk against openssl v1.0.2 source files and see if that fixes it. Assuming that is possible without dependency problems.
but I have the same problems:
res_rtp_asterisk.c: DTLS failure occurred on RTP instance ‘0x7f057801f5c8’ due to reason ‘tlsv1 alert protocol version’, terminating
I couldn’t get PJSIP bundle to compile with openssl 1.0.2 installed from source. It may be the locations of the compiled files being different from openssl and openssl-devel rpms so I am still working on figuring that out.
Do you know what switch I should be looking for in config.log to indicated the precompile ./configure script detected DTLS v1.2 support?
The configure script doesn’t check for it. The res_rtp_asterisk module does a version check[1] of the OpenSSL headers when building to determine whether to use DTLSv1 only or not.
Is there a post compile check? You seem to be indicating asterisk only cares what version the /usr/bin/openssl binary is and it is not related to openssl-devel files (*.h). I did change that to the v1.0.2 binary, restarted apache and ran “openssl version” to verify it was v1.0.2 and then recompiled asterisk but chrome was still failing with the same error.
Not the version of the binary. Asterisk includes the OpenSSL headers and is built against them. It is that which is checked, and then it is linked against the OpenSSL library on the system.
I am also having trouble with this google chrome update. I have used both asterisk 11 and asterisk 13. but if I use a new OS then both asterisk 11 and asterisk 13 work. So I am pretty sure its not related to the asterisk version but maybe open ssl version? Using OpenSSL 1.0.1i-fips 6 Aug 2014
Unfortunately FreePBX 13 and the original distro it ran on (SNG6, IIRC) are very old and aren’t really receiving signifiant updates at this point. This is a bit of hard news for you, but it might be the appropriate time to consider updating to a newer distro.
Also, Asterisk 13 just went security fix only mode, so moving to a currently supported version of Asterisk (like 16) is probably also a good idea.