[Webkit-unassigned] [Bug 219274] New: ICE does not resolve for `turns` relay candidates rooted in LetsEncrypt CA

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 24 06:49:28 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=219274

            Bug ID: 219274
           Summary: ICE does not resolve for `turns` relay candidates
                    rooted in LetsEncrypt CA
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Macintosh
                OS: Other
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebRTC
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: argggh at whereby.com
                CC: youennf at gmail.com

Created attachment 414836

  --> https://bugs.webkit.org/attachment.cgi?id=414836&action=review

wireshark screenshot

macOS 11.0.1, Safari Tech Preview 116

Safari is not able to resolve `turns` (TLS) ICE candidates when the TURN servers indicated present TLS certificates that are signed by e.g the Let's Encrypt CA. This seems to be because Safari relies on the upstream webrtc library's hardcoded, built-in SSL roots list. Apparently, one is supposed to override this TLS certification mechanism when integrating the webrtc library. The hard-coded list only contains CA roots required to connect to Google services. Any TURN servers relying on TLS CA vendors not on the hard-coded list will not work for `turns` relay under Safari.

To test, open two tabs towards https://whereby.com/turn-tls-test?turn=onlytls under Safari and observe that black video frames result. Firefox and Chrome (presumably) uses their own built-in TLS verification mechanism for `turns`, and are able to resolve ICE candidates for the same test. See appended Wireshark screenshot showing the Safari client aborting the TLS handshake with "Alert (Level: Fatal, Description: Unknown CA)"

There is extensive background discussion here https://groups.google.com/g/discuss-webrtc/c/4MmARU0XYqc/m/QppVNJiEAAAJ, and there's also a WebRTC tracking bug here https://bugs.chromium.org/p/webrtc/issues/detail?id=11710.

Thanks,
Arne.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201124/6b298180/attachment.htm>

More information about the webkit-unassigned mailing list