Skip to main content

Safari (older than 14.1.1) rejects TLS connections of TURN with Let's Encrypt certificates

Summary

We could not make a video call successfully on Safari older than 14.1.1. The call kept disconnecting for some seconds. We got the following error in Nginx’s log

SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48 

Root cause

The Safari didn’t trust our TLS certificates (certified by Let’s Encrypt) when establishing a TLS connection into our TURN server. It is a known issue that could be found at Bug 219274 - ICE does not resolve for `turns` relay candidates rooted in LetsEncrypt CA. The issue was just recently fixed (end of 2020), therefore old versions of Safari still meet the issues. 

Solution

In our development environment, we replaced the untrusted certificate with a trusted one. We will warn our customers about this issue in our installation guide.

Technical explained


WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all iOS web browsers. The WebRTC of WebKit relied on the upstream WebRTC library which the source code can be found here.

The WebRTC library contains its own hardcoded/fixed list of trusted root CA (Certification Authority). The list can be found here (source code). And, this list doesn’t contain the root CA of certificates generated by Let’s Encrypt.

In order to establish a TLS connection to our TURN server, Safari will verify the certificates are valid or not by using the WebRTC library. Therefore, the certificate verification was failed.

We needed to have a certificate with a root CA exist in the mentioned hardcoded list for a workaround. We just requested a free certificate from “ZeroSSL” which uses “USERTrust RSA Certification Authority” as its root CA. We can check the CA information of a certificate as the following command:

1openssl x509 -subject -issuer -noout -in /path/to/the/ca.pem

Or, by an online TLS checker such as SSL Checker.

The issue was fixed in the latest versions of WebKit so that there is no issue with the newest Safari. The status was updated at Bug 219274 - ICE does not resolve for `turns` relay candidates rooted in LetsEncrypt CA.

Labels:

Comments

Post a Comment

Popular posts from this blog

Coders are NERDS | Learning English with Podcast

Let's learn three English vocabulary words based on real-life context through a humorous video about the life of software coders, especially at big tech companies when they work from home. Credit to Joma Tech. 🤓
Post a Comment
Read more

Junit - Test fails on French or German string assertion

In my previous post about building a regex to check a text without special characters but allow German and French . I met a problem that the unit test works fine on my machine using Eclipse, but it was fail when running on Jenkins' build job. Here is my test: @Test public void shouldAllowFrenchAndGermanCharacters(){ String source = "ÄäÖöÜüß áÁàÀâÂéÉèÈêÊîÎçÇ"; assertFalse(SpecialCharactersUtils.isExistSpecialCharater(source)); } Production code: public static boolean isExistNotAllowedCharacters(String source){ Pattern regex = Pattern.compile("^[a-zA-Z_0-9_ÄäÖöÜüß áÁàÀâÂéÉèÈêÊîÎçÇ]*$"); Matcher matcher = regex.matcher(source); return !matcher.matches(); } The result likes the following: Failed tests: SpecialCharactersUtilsTest.shouldAllowFrenchAndGermanCharacters:32 null A guy from stackoverflow.com says: "This is probably due to the default encoding used for your Java source files. The ö in the string literal in the J...
5 comments
Read more

[Snippet] CSS - Child element overlap parent

I searched from somewhere and found that a lot of people says a basic concept for implementing this feature looks like below: HTML code: <div id="parent">  <div id="child">  </div> </div> And, CSS: #parent{   position: relative;   overflow:hidden; } #child{   position: absolute;   top: -1;   right: -1px; } However, I had a lot of grand-parents in my case and the above code didn't work. Therefore, I needed an alternative. I presumed that my app uses Boostrap and AngularJs, maybe some CSS from them affects mine. I didn't know exactly the problem, but I believed when all CSS is loaded into my browser, I could completely handle it. www.tom-collinson.com I tried to create an example to investigated this problem by Fiddle . Accidentally, I just changed: position: parent; to position: static; for one of parents -> the problem is solved. Look at my code: <div class="modal-body dn-placeholder-parent-positi...
Post a Comment
Read more

Functional programming in Java 8

In my previous post , we discussed about why we should consider to use functional programming. Now, let's delve into what functional programming in Java is. What is pure functional programming? Shortly,  f unctional programming is programming using functions. A function corresponds to a mathematical function such as log, sin. Basically, it takes zero or more arguments, give one or more result, and has no side effects. We can't completely program in pure functional style in Java Why?  For example, calling Scanner.nextLine twice typically gives different result. So, it's just called "functional-style programming". How is that? - There is no mutating structures visible to callers. That means your side effect may not be visible to a program, but it's visible to the programmer in terms of slower execution. - A function or method shouldn't throw any exceptions (follows the concept "pass arguments, return result"). We can use types like Opti...
Post a Comment
Read more

The HelloWorld example of JSF 2.2 with Myfaces

I just did by myself create a very simple app "HelloWorld" of JSF 2.2 with a concrete implementation Myfaces that we can use it later on for our further JSF trying out. I attached the source code link at the end part. Just follow these steps below: 1. Create a Maven project in Eclipse (Kepler) with a simple Java web application archetype "maven-archetype-webapp". Maven should be the best choice for managing the dependencies , so far. JSF is a web framework that is the reason why I chose the mentioned archetype for my example. 2. Import dependencies for JSF implementation - Myfaces (v2.2.10) into file pom.xml . The following code that is easy to find from  http://mvnrepository.com/  with key words "myfaces". <dependency> <groupId>org.apache.myfaces.core</groupId> <artifactId>myfaces-api</artifactId> <version>2.2.10</version> </dependency> <dependency> <groupId>org.apache.myfaces.core<...
Post a Comment
Read more