Intel® Collaboration Suite for WebRTC
Community support and discussions on the Intel® Collaboration Suite for WebRTC (Intel® CS for WebRTC).

Edge remote stream failing with DTLS Handshake error

Mark_d_10
Beginner
774 Views

Hello,

Today we were trying to test the support for Edge.
Our situation is that all connections must be secured over SSL.

Both mixing and forward streams Edge browser shows local webcam stream however remote streams never received, after around 30 seconds something happens from remote stream but appears in black so it is pretty useless.
In console I see DTLS Handshake failure.
In a wireshark trace I see it connects to the Intel WebRTC app server, and after shows the DTLS error so it is not running through a Turn server at the moment.

If it connect with DTLS to video_agent and it is expecting a certificate, then it would certainly fail because on video_agent there is no possibility to configure certificate.

Also with other tests in a basicExample that worked with Firefox/Chrome, Edge does not show remote stream at all...

I've tested with v3.3.1 v3.4 and v3.4.1 Results all the same.

How can we get Edge to work?

Kind regards

0 Kudos
8 Replies
YanbinZ_Intel
Employee
774 Views

1. You should add Certificate Exceptions if you need SSL connection. It seem Edge do not support import Certification directly , so please try to import Certificate in Control Panel items-> 'Internet Option'->Certificates. Then, restart again.

2. Could you please provide your Edge version and please try the latest Edge version 40.15063.0.0 .

 

0 Kudos
Mark_d_10
Beginner
774 Views

1. Why do I need to import my certificate when it is a Valid certificate supplied by a certified Certificate Authority? Eg. Comodo

2. I am using the latest version of Edge you mention. All latest Windows Updates are installed.

0 Kudos
YanbinZ_Intel
Employee
774 Views

If you client side already import Valid root certificate. It supported to works fine.  Do you set certification configuration at MCU server side ?  

0 Kudos
Mark_d_10
Beginner
774 Views

- I created today a new test machine locally, but Edge still not working now get a black stream back from server, while in both Chrome and Firefox it is working perfectly.

- On the local installed server also is the Coturn turn server running

- In Edge console log is no shows some different messages also: "unknown ice connection state: connecting" and then a "MCU reports connection failed for stream: 502874230393366200" and after that: "unknown ice connection state: new"

- The certificates in I used this time were the ones that were default in the MCU installation package. I added this one to my Trusted certificates as you suggested earlier.

- After I tried again with my own certificates, result is the exact same as with the supplied certificate from the instalation package (webrtc.intel.com)

- Is there any way how to proceed in this? Are there logs that can help further troubleshooting?

I found in the installation manual the following:
We use PFX formatted certificates in MCU. See https://nodejs.org/api/tls.html for how to generate a self-signed certificate by openssl utility. We recommend using 2048-bits private key for the certificates. But if you meet DTLS SSL connection error in your environment, please use 1024-bit instead of 2048-bit private key because of a known network MTU issue.

Can this be a cause? Because I think nowadays 2048 bit private keys seem to be very common.

 

0 Kudos
Chunbo_H_Intel1
Employee
774 Views

Hi Mark,

Could you help run the following or similar logic in Edge CLI to check whether RTCDtlsTransport works by your local settings?

    var ga = new RTCIceGatherer({ "gatherPolicy": "all", "iceServers": [] });
    var tr = new RTCIceTransport(ga);
    var dtls = new RTCDtlsTransport(tr);

0 Kudos
Mark_d_10
Beginner
774 Views

Hi Chunbo,

- The DTLS issue was related to the certificate with 2048 bit key... but with a self signed certificate with a 1024 bit key on webrtc-agent all the browsers do not give any error...So it seems that browser do not check certificates for DTLS connections anyway
- Edge was not working without STUN/TURN server configured, even if the webrtc server is in the same local network, it needs a turn configuration for it to get to work.

So it is working now..

0 Kudos
Chunbo_H_Intel1
Employee
774 Views

Hi Mark,

Yes, the DTLS cert length is a limitation to Edge browser SDK now.

Regarding the second item, do you mean that you specifically set a TURN configuration for Edge, even it will have a local network connection to MCU server? If so, could you let us know your network deployment between Edge and its MCU server, and the TURN setting you're using?

Thanks!

0 Kudos
Mark_d_10
Beginner
774 Views

With the turn it might be related to my workstation because then also Chrome stopped...Sometimes after a restart it works for an hour or so, but after it stops working again. WIth turn configured in general it is always working.

The ip adres of my workstation is 10.0.0.2 on 255.255.252.0 subnet
The testing server was on IP 10.0.1.50 on 255.255.252.0 subnet
So it should be able to connect directly, no firewalls are running during the test, those were disabled.

For Turn I used a local coturn instance.

0 Kudos
Reply