[openssl-users] Trying to understand DTLS (as it applies to webrtc)

Matt Caswell matt at openssl.org
Fri May 1 20:01:47 UTC 2015

On 01/05/15 20:09, faraz khan wrote:
> Matt,
> Thanks again! To be precise webrtc is using boringssl (Google's fork of
> openssl). From the commits it seems VERY recent but I'm unable to figure
> out the last openssl merge-in. You think this could be the issue? Should
> I try both with boringSSL (its kinda hard to compile webrtc with openSSL
> now since after the move to boringSSL)

Ahhh. BoringSSL. That means a slightly different list of potential
causes (they forked OpenSSL 1.0.2, and have continued to make changes
since then). I've just checked the latest dev version, and that means
possible causes:

- digest check failed processing the Finished message
- CRL signature failure processing the client Certificate
- Overly short RSA key
- Bad RSA decrypt/signature processing the CertificateVerify

To be honest I am more inclined to believe it is a problem on the client
side rather than the WebRTC side. The fact that it goes away after you
restart the client suggests to me that the client is getting itself into
a strange state. Perhaps some kind of memory corruption (either through
client application or openssl bug)?

Anyway I'd suggest two things as next steps:
- Try and figure out how to get more logging out of WebRTC to find out
more specifically what it is complaining about
- Upgrade your OpenSSL version to 1.0.1m


More information about the openssl-users mailing list