[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Jay Jideliov (JIRA) noreply at issues.asterisk.org
Fri Dec 13 16:25:04 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=212941#comment-212941 ] 

Jay Jideliov commented on ASTERISK-22961:
-----------------------------------------

So we have finally installed the patch and turned on dtls.

Now, although SHA-256 seems to be working now, testing with SIPML5 we get:

 WARNING[27765][C-00000007]: chan_sip.c:25315 handle_request_invite: a=fingerprint found, creating DTLS configuration


Here's the debug output:
<--- SIP read from WS:24.90.195.17:57012 --->
INVITE sip:888 at 1.1.1.1 SIP/2.0
Via: SIP/2.0/WS df7jal23ls0d.invalid;branch=z9hG4bKeTFcucDeFngTObDDW7LKL1h8cRx2l3RN;rport
From: "1060"<sip:1060 at 1.1.1.1>;tag=H18f7p8mdtQ50lkznEEP
To: <sip:888 at 1.1.1.1>
Contact: "1060"<sip:1060 at df7jal23ls0d.invalid;rtcweb-breaker=yes;click2call=no;transport=ws>;impi=1060;ha1=afc80e86167f09f8148165f43bcc786a;+g.oma.sip-im;+sip.ice;language="en,fr"
Call-ID: 89d77abf-b59a-6344-e55a-3f7585801cc6
CSeq: 1112 INVITE
Content-Type: application/sdp
Content-Length: 1067
Route: <sip:1.1.1.1:5060;lr;sipml5-outbound;transport=udp>
Max-Forwards: 70
Authorization: Digest username="1060",realm="asterisk",nonce="6660fc44",uri="sip:888 at 1.1.1.1",response="6c4047ba82e30c3ae856832ace89df1a",algorithm=MD5
User-Agent: IM-client/OMA1.0 sipML5-v1.2013.08.10B
Organization: Doubango Telecom

v=0
o=Mozilla-SIPUA-27.0a2 3702 1 IN IP4 0.0.0.0
s=Doubango Telecom - firefox
t=0 0
a=ice-ufrag:7e02141e
a=ice-pwd:10bc76edf15551ec91ac2ab2014919a2
a=fingerprint:sha-256 66:26:99:72:9E:21:BF:18:20:D2:9D:CC:A7:C9:A6:98:FE:D9:64:70:72:47:08:CF:CB:82:4F:74:6A:5D:7F:05
m=audio 60857 UDP/TLS/RTP/SAVPF 109 0 8 101
c=IN IP4 24.90.195.17
a=rtpmap:109 opus/48000/2
a=ptime:20
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=setup:actpass
a=candidate:0 1 UDP 2128609535 192.168.0.21 60857 typ host
a=candidate:1 1 UDP 1692467199 24.90.195.17 60857 typ srflx raddr 192.168.0.21 rport 60857
a=candidate:5 1 UDP 2128543999 192.168.220.1 60858 typ host
a=candidate:10 1 UDP 2128478463 192.168.102.1 60859 typ host
a=candidate:0 2 UDP 2128609534 192.168.0.21 60860 typ host
a=candidate:1 2 UDP 1692467198 24.90.195.17 60860 typ srflx raddr 192.168.0.21 rport 60860
a=candidate:5 2 UDP 2128543998 192.168.220.1 60861 typ host
a=candidate:10 2 UDP 2128478462 192.168.102.1 60862 typ host
a=rtcp-mux
<------------->
--- (14 headers 26 lines) ---
Using INVITE request as basis request - 89d77abf-b59a-6344-e55a-3f7585801cc6
Found peer '1060' for '1060' from 24.90.195.17:57012
  == Using SIP RTP CoS mark 5
Found RTP audio format 109
Found RTP audio format 0
Found RTP audio format 8
Found RTP audio format 101
Found unknown media description format opus for ID 109
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
Found audio description format telephone-event for ID 101
[Dec 13 17:15:39] WARNING[27572][C-00000006]: chan_sip.c:10468 process_sdp: Rejecting secure audio stream without encryption details: audio 60857 UDP/TLS/RTP/SAVPF 109 0 8 101



                
> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: asterisk_dtls.patch, res_rtp_asterisk.c
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list