Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DTLS client received unexpected alert: fatal(2), bad_record_mac(20) #969

Closed
akamilkhan opened this issue Jul 20, 2023 · 7 comments · Fixed by #1022
Closed

DTLS client received unexpected alert: fatal(2), bad_record_mac(20) #969

akamilkhan opened this issue Jul 20, 2023 · 7 comments · Fixed by #1022

Comments

@akamilkhan
Copy link

I am getting following error once I run WebRTC caller and callee application on the same computer.

[16:30:28 WRN] DTLS client received unexpected alert: fatal(2), bad_record_mac(20).
[16:30:28 WRN] DTLS unexpected Fatal alert bad_record_mac: bad_record_mac(20)
[16:30:28 ERR] SCTP fatal error processing RTCSctpTransport receive. Org.BouncyCastle.Crypto.Tls.TlsFatalAlert: bad_record_mac(20)
   at Org.BouncyCastle.Crypto.Tls.DtlsTransport.Receive(Byte[] buf, Int32 off, Int32 len, Int32 waitMillis)
   at SIPSorcery.Net.RTCSctpTransport.DoReceive(Object state)
@camnewnham
Copy link
Contributor

While not sure on the exact cause of your issue, you might try this fork/branch which uses the new bouncycastle APIs (2+): https://github.com/camnewnham/sipsorcery/tree/bouncycastle-2

Once I have done further testing on it I will PR it here.

@lostmsu
Copy link
Contributor

lostmsu commented Oct 19, 2023

I'm getting the same over an extensively used data channel.

@camnewnham what's your progress on that PR?

@camnewnham
Copy link
Contributor

I'm getting the same over an extensively used data channel.

@camnewnham what's your progress on that PR?

I'm using the aforementioned branch in production and haven't seen this issue recur.

I haven't made a PR yet as there were two changes that were not straightforward to port - they don't affect my usage but I am unsure of their impact in a broader context:

  • Implement legacy DtlsUtils.ConvertBouncyCert
  • Investigate whether we need to do something with DtlsSrtpServer.GetSelectedCipherSuite (SupportsClientEccCapabilities)

@lostmsu
Copy link
Contributor

lostmsu commented Oct 22, 2023

@camnewnham your branch seems to fix the issue for me. How can I help with getting the PR out?

P.S. considering dependency major version bump, SIPSorcery's major version must also be increased AFAIU.

@camnewnham camnewnham mentioned this issue Oct 22, 2023
Merged
@camnewnham
Copy link
Contributor

Thanks @lostmsu had another look over this - seems fine have made a PR.

@lostmsu
Copy link
Contributor

lostmsu commented Dec 29, 2023

@sipsorcery since the PR was reverted this issue should be reopened.

@camnewnham camnewnham mentioned this issue Jun 25, 2024
Closed
@sipsorcery
Copy link
Member

I did implement some changes to the DTLS cipher suite selection as well as switched the default signature algorithm to ECDSA. While it does not directly address the cause of the "bad mac" alert it might make a difference. All the browsers have switched from RSA to ECDSA as default and that should help with general DTLS issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade bouncycastle to v2 camnewnham/sipsorcery
4 participants
@sipsorcery @lostmsu @camnewnham @akamilkhan