webrtc dtls默认采用https证书,如果https证书不存在则随机生成 (#2928)

之前默认随机创建dtls证书,导致每次启动证书都不一致,而Firefox要求同主机的dtls证书必须一致,所以导致每次服务重启,Firefox可能拒绝dtls握手。
并且在集群模式下,如果Firefox接入多个不同集群实例的webrtc服务,也可能导致webrtc dtls握手失败。
This commit is contained in:
夏楚 2023-10-25 17:50:29 +08:00 committed by GitHub
parent 0a19627d86
commit ae662fa083
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 59 deletions

@ -1 +1 @@
Subproject commit 273592b6ba39babe6407021ffc089bfe7328e447 Subproject commit 3fd2b856b6856dd679a32c673431561c0affdd0c

View File

@ -29,6 +29,8 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <cstdio> // std::sprintf(), std::fopen() #include <cstdio> // std::sprintf(), std::fopen()
#include <cstring> // std::memcpy(), std::strcmp() #include <cstring> // std::memcpy(), std::strcmp()
#include "Util/util.h" #include "Util/util.h"
#include "Util/SSLBox.h"
#include "Util/SSLUtil.h"
using namespace std; using namespace std;
@ -129,16 +131,10 @@ namespace RTC
MS_TRACE(); MS_TRACE();
// Generate a X509 certificate and private key (unless PEM files are provided). // Generate a X509 certificate and private key (unless PEM files are provided).
if (true /* auto ssl = toolkit::SSL_Initor::Instance().getSSLCtx("", true);
Settings::configuration.dtlsCertificateFile.empty() || if (!ssl || !ReadCertificateAndPrivateKeyFromContext(ssl.get())) {
Settings::configuration.dtlsPrivateKeyFile.empty()*/)
{
GenerateCertificateAndPrivateKey(); GenerateCertificateAndPrivateKey();
} }
else
{
ReadCertificateAndPrivateKeyFromFiles();
}
// Create a global SSL_CTX. // Create a global SSL_CTX.
CreateSslCtx(); CreateSslCtx();
@ -297,59 +293,22 @@ namespace RTC
MS_THROW_ERROR("DTLS certificate and private key generation failed"); MS_THROW_ERROR("DTLS certificate and private key generation failed");
} }
void DtlsTransport::DtlsEnvironment::ReadCertificateAndPrivateKeyFromFiles() bool DtlsTransport::DtlsEnvironment::ReadCertificateAndPrivateKeyFromContext(SSL_CTX *ctx)
{ {
#if 0
MS_TRACE(); MS_TRACE();
certificate = SSL_CTX_get0_certificate(ctx);
FILE* file{ nullptr }; if (!certificate) {
return false;
file = fopen(Settings::configuration.dtlsCertificateFile.c_str(), "r");
if (!file)
{
MS_ERROR("error reading DTLS certificate file: %s", std::strerror(errno));
goto error;
} }
X509_up_ref(certificate);
certificate = PEM_read_X509(file, nullptr, nullptr, nullptr); privateKey = SSL_CTX_get0_privatekey(ctx);
if (!privateKey) {
if (!certificate) return false;
{
LOG_OPENSSL_ERROR("PEM_read_X509() failed");
goto error;
} }
EVP_PKEY_up_ref(privateKey);
fclose(file); InfoL << "Load webrtc dtls certificate: " << toolkit::SSLUtil::getServerName(certificate);
return true;
file = fopen(Settings::configuration.dtlsPrivateKeyFile.c_str(), "r");
if (!file)
{
MS_ERROR("error reading DTLS private key file: %s", std::strerror(errno));
goto error;
}
privateKey = PEM_read_PrivateKey(file, nullptr, nullptr, nullptr);
if (!privateKey)
{
LOG_OPENSSL_ERROR("PEM_read_PrivateKey() failed");
goto error;
}
fclose(file);
return;
error:
MS_THROW_ERROR("error reading DTLS certificate and private key PEM files");
#endif
} }
void DtlsTransport::DtlsEnvironment::CreateSslCtx() void DtlsTransport::DtlsEnvironment::CreateSslCtx()

View File

@ -88,7 +88,7 @@ namespace RTC
private: private:
DtlsEnvironment(); DtlsEnvironment();
void GenerateCertificateAndPrivateKey(); void GenerateCertificateAndPrivateKey();
void ReadCertificateAndPrivateKeyFromFiles(); bool ReadCertificateAndPrivateKeyFromContext(SSL_CTX *ctx);
void CreateSslCtx(); void CreateSslCtx();
void GenerateFingerprints(); void GenerateFingerprints();

View File

@ -251,7 +251,7 @@ void WebRtcTransport::sendSockData(const char *buf, size_t len, RTC::TransportTu
} }
Session::Ptr WebRtcTransport::getSession() const { Session::Ptr WebRtcTransport::getSession() const {
auto tuple = _ice_server->GetSelectedTuple(true); auto tuple = _ice_server ? _ice_server->GetSelectedTuple(true) : nullptr;
return tuple ? static_pointer_cast<Session>(tuple->shared_from_this()) : nullptr; return tuple ? static_pointer_cast<Session>(tuple->shared_from_this()) : nullptr;
} }