[openssl-users] Trying to understand DTLS (as it applies to webrtc)

Kurt Roeckx kurt at roeckx.be
Fri May 1 21:38:08 UTC 2015

On Fri, May 01, 2015 at 09:01:47PM +0100, Matt Caswell wrote:
> On 01/05/15 20:09, faraz khan wrote:
> > Matt,
> > Thanks again! To be precise webrtc is using boringssl (Google's fork of
> > openssl). From the commits it seems VERY recent but I'm unable to figure
> > out the last openssl merge-in. You think this could be the issue? Should
> > I try both with boringSSL (its kinda hard to compile webrtc with openSSL
> > now since after the move to boringSSL)
> Ahhh. BoringSSL. That means a slightly different list of potential
> causes (they forked OpenSSL 1.0.2, and have continued to make changes
> since then). I've just checked the latest dev version, and that means
> possible causes:
> - digest check failed processing the Finished message
> - CRL signature failure processing the client Certificate
> - Overly short RSA key
> - Bad RSA decrypt/signature processing the CertificateVerify
> To be honest I am more inclined to believe it is a problem on the client
> side rather than the WebRTC side. The fact that it goes away after you
> restart the client suggests to me that the client is getting itself into
> a strange state. Perhaps some kind of memory corruption (either through
> client application or openssl bug)?
> Anyway I'd suggest two things as next steps:
> - Try and figure out how to get more logging out of WebRTC to find out
> more specifically what it is complaining about
> - Upgrade your OpenSSL version to 1.0.1m

He could also try to use something like valgrind to see if memory
gets corrupted, or use build it using address sanitizer.


More information about the openssl-users mailing list