Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WHIP from OBS v30.1.2 on Windows/Apple platforms fails to establishe DTLS session with "Bad certificate" reply from OBS #1190

Open
ianzag opened this issue May 22, 2024 · 5 comments
Open

WHIP from OBS v30.1.2 on Windows/Apple platforms fails to establishe DTLS session with "Bad certificate" reply from OBS #1190

ianzag opened this issue May 22, 2024 · 5 comments

Comments

@ianzag
Copy link

ianzag commented May 22, 2024

Dear developers,

I have an issue with recently released OBS v30.1.2 and WHIP Streaming. I'm trying to broadcast media stream to WHIP compatible server. Problem is DTLS handshake fails with Windows/Apple OBS official builds but can be successfully established with Linux official build. Not much in OBS logs in both cases, but I got SDP exchange and DTLS network traffic traces. Looks like depending on OBS's platform (and used TLS engine?) it behaves slightly different. Please see attached traces. Will be glad to supply any additional info. Thanks!
Bad_DTLS.txt
Bad_SDP.txt
Good_DTLS.txt
Good_SDP.txt
@paullouisageneau
Copy link
Owner

It looks indeed like a different TLS library behaving differently.

@Sean-Der Is the TLS library in OBS builds for Linux different from the one for Windows and OSX? I guess Windows and OSX rely on Mbed TLS so it would be an issue specific to MbedTLS.

@Sean-Der
Copy link
Contributor

@paullouisageneau exactly!

Sorry I missed this @ianzag is this still a problem? Could I test against a server with the issue?

@ianzag
Copy link
Author

ianzag commented Jun 17, 2024

@Sean-Der pardon for long response had very busy days. I'll check if it's still applicable tomorrow. On server side there's an ordinary OpenSSL's DTLS state machine so I believe it can be wrapped into dedicated regression test. How FooSSL performs with BarSSL.

@Sean-Der
Copy link
Contributor

Sean-Der commented Nov 4, 2024

@ianzag Is this still a problem? Maybe OBS upgrade fixed?

@ianzag
Copy link
Author

ianzag commented Dec 1, 2024
edited
Loading

Looks like we've found what's the problem. In short: if server's DTLS self-signed certificate does not have Common Name it is rejected by client when it runs mbedTLS. So when OBS broadcasting fails with "Bad Certificate" DTLS failure - first check, that server returns correct certificate with Common Name included. I'm not sure if CN's value makes some difference though. But it must be returned by server somehow. OpenSSL does not have such constraints and runs DTLS with certificates without CN field just fine.

I believe this issue can be closed. Just add a note into docs that CN is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paullouisageneau @Sean-Der @ianzag