aiortc: DTLS Bio read buffer is to small and not compatible with ecdsa-with-SHA256 key/cert with CA

With a Janus DTLS certificate with 4096 size, DTLS handshake goes in timeout, the transsaction never succeed.

a related issue was solved few year ago on janus side: https://github.com/meetecho/janus-gateway/issues/252

after investiguation it appears that the ssl bio_read buffer is too small to read the full certificate.

see https://github.com/aiortc/aiortc/blob/d30b6f75d4457204b1ab336106a248d535be053a/src/aiortc/rtcdtlstransport.py#L630

I do some test ad I suggest to increase the bio_read buffer size from:

try:
            data = self.ssl.bio_read(1500)
        except SSL.Error:
            data = b""
...

to a bigger value

try:
            data = self.ssl.bio_read(8192)
        except SSL.Error:
            data = b""
...

It will solves also this closed issue: https://github.com/aiortc/aiortc/issues/346

an alternative but not tested, could be to read in a loop all the bio_read data, and send the full buffer after at https://github.com/aiortc/aiortc/blob/d30b6f75d4457204b1ab336106a248d535be053a/src/aiortc/rtcdtlstransport.py#L634

About this issue

Original URL
State: open
Created a year ago
Comments: 17

Most upvoted comments

What I don’t understand is how you expect to send out a frame that large, how will it fit in a UDP datagram?

It will be framed across multiple UDP datagrams. DTLS explicitly frames for that purpose.

8192 bytes seems sensible for large x509 certificates using RSA 4096. If it resolves the problem for you, I’d suggest to make a PR for it.

Edit: This probably won’t resolve your issue. You’ll have to tell the DTLS stack the maximum MTU so that it fragments accordingly. Similar to https://github.com/versatica/mediasoup/pull/1143

lgrahl on Aug 28, 2023

Any status ?

zucher on Aug 28, 2023