[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Thu Dec 19 09:15:03 CST 2013

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=213153#comment-213153 ] 

Lorenzo Miniero commented on ASTERISK-22961:
--------------------------------------------

Jay,

the error you're getting is not in my 11.1.2, and in fact I noticed that it is in 11.6.0 chan_sip.c instead. Anyway, the problem is that Asterisk thinks no crypto stuff related to media lines has been negotiated, despite the fact the fingerprint is there. This is caused by an incomplete check the channel does: in particular, for each media line a process_crypto method is called and, if it is successful, it sets a variable (processed_crypto) to TRUE. The problem here is that that process_crypto method only looks for the SDES crypto attributes, ignoring the fingerprint one that is used for DTLS.

{noformat}Note to Matt: this is definitely another bug that I think needs to be addressed, since as it is now I really don't think DTLS is supposed to ever work. Is this something you see for Asterisk 13 or for current releases as well?{noformat}

Jay, since fixing this would need a bit of code mangling (for which unfortunately I have no time at the moment), an easy way to circumvent this right now just for testing if the rest of the patch works fine is manually setting that variable to true before the check that causes the error (that is, where the "Ensure crypto lines are provided where necessary" comment is). This way Asterisk will go on with the SDP processing and should setup the media, ICE, DTLS and so on.

> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: asterisk_dtls.patch, chan_sip.c, ice_session.c, res_rtp_asterisk.c, res_rtp_asterisk.c
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira