[asterisk-bugs] [JIRA] (ASTERISK-22961) DTLS-SRTP not working with SHA-256

Lorenzo Miniero (JIRA) noreply at issues.asterisk.org
Wed Dec 11 04:23:03 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=212828#comment-212828 ] 

Lorenzo Miniero commented on ASTERISK-22961:
--------------------------------------------

I'll prepare a patch shortly and submit it here.

At a first glance, the problem here seems to be that the code that parses the fingerprint attribute in chan_sip.c, which assumes sha-1. My patch also checks for "sha-2" (which are the first 5 characters of sha-256) and also generates sha-256 when forging SDP. This meant that in res_rtp_asterisk.c I had to change the hashing algorhitm from SHA-1 to SHA-256, of course. There are other things my patch changed/fixed, but this was the most immediate one, and the others may have been taken care of in the code base in the meanwhile (I worked on Asterisk 11.1.2).
                
> DTLS-SRTP not working with SHA-256
> ----------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>            Assignee: Jay Jideliov
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list