[jitsi-dev] [jitsi-videobridge] Tear down DTLS-protected media session if the fingerprint does not match the hashed certificate (#78)


#1

Gavin Llewellyn wrote:

I noticed something in a JVB log file that has me concerned:

2015-06-28 16:43:34.267 WARNING: [12159] org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.warn() Failed to verify and/or validate a certificate offered over the media path against fingerprints declared over the signaling path! No fingerprints declared over the signaling path!

The root cause of the lack of fingerprints may be that we’re not driving the REST interface correctly; I haven’t looked into that yet. What worries me is that the media is working despite this warning message. JVB has apparently been unable to verify the fingerprint, but continues regardless. Surely this is not a good idea.

Looking at the code in DtlsControlImpl, it appears a similar result would arise if the fingerprint was signalled but did not match: verifyAndValidateCertificate() prints a warning and returns false, but the return value is never used. According to a comment in that file, not tearing down the connection appears to be deliberate. Am I missing something?

···

---
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78


#2

The media session is now torn down by default if the fingerprint does not match the hashed certificate in jitsi/libjitsi commit d364e8e13e49f8f4e80104fe92c02cff39b6c1a6. This issue may be closed after the modifications bubble up to jitsi/jitsi-videobridge and/or its nightly build.

···

---
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78#issuecomment-126809418


#3

Thanks lyubomir!

···

---
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78#issuecomment-127178377


#4

Closed #78.

···

---
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78#event-399339658


#5

@lyubomir I use the latest jvb to build, but now it still show this error, how to fix it?

JVB 2016-04-19 17:02:55.498 SEVERE: [131] org.jitsi.impl.neomedia.transform.dtls.TlsServerImpl.error() Failed to verify and/or validate client certificate!
java.io.IOException: No fingerprints declared over the signaling path!
	at org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.verifyAndValidateCertificate(DtlsControlImpl.java:858)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.verifyAndValidateCertificate(DtlsControlImpl.java:947)
	at org.jitsi.impl.neomedia.transform.dtls.TlsServerImpl.notifyClientCertificate(TlsServerImpl.java:417)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.notifyClientCertificate(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.processClientCertificate(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.serverHandshake(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.accept(Unknown Source)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer.runInConnectThread(DtlsPacketTransformer.java:1048)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer.access$100(DtlsPacketTransformer.java:40)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer$2.run(DtlsPacketTransformer.java:1277)
JVB 2016-04-19 17:02:55.500 SEVERE: [131] org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer.error() Failed to accept a connection from a DTLS client!
java.io.IOException: No fingerprints declared over the signaling path!
	at org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.verifyAndValidateCertificate(DtlsControlImpl.java:858)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsControlImpl.verifyAndValidateCertificate(DtlsControlImpl.java:947)
	at org.jitsi.impl.neomedia.transform.dtls.TlsServerImpl.notifyClientCertificate(TlsServerImpl.java:417)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.notifyClientCertificate(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.processClientCertificate(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.serverHandshake(Unknown Source)
	at org.bouncycastle.crypto.tls.DTLSServerProtocol.accept(Unknown Source)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer.runInConnectThread(DtlsPacketTransformer.java:1048)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer.access$100(DtlsPacketTransformer.java:40)
	at org.jitsi.impl.neomedia.transform.dtls.DtlsPacketTransformer$2.run(Dt
···

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78#issuecomment-211813546


#6

@zoomchan-cxj Ihad this issue also , did you solve it already ?

···

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/jitsi/jitsi-videobridge/issues/78#issuecomment-232285457