[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

NITESH BANSAL (JIRA) noreply at issues.asterisk.org
Thu Dec 19 09:35:03 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=213154#comment-213154 ] 

NITESH BANSAL commented on ASTERISK-22961:
------------------------------------------

Hi Lorenzo,
Could you please clarify on the question i raised to Matt in a comment above. I'll paste my question again:
------
Hi Matt,
You pointed out that there is a bug related to sequence of steps related to DTLS handshake, i did not really understand what bug are you talking about here. If you could
provide some more insight, it would be really helpful for me, i am trying to write a patch for Asterisk 11.4.

Lorenzo's explanation
"I then had to make sure the proper sequence of steps was followed, that is 1. ICE complete, 2. DTLS handshake, 3. media. In the Asterisk code I had this was not respected, and so you could see media being sent before, for instance, the DTLS handshake was completed, thus possibly confusing the browser on the other side. To do so I added some flags to the RTP/RTCP sessions, and a callback that is part of the PJNATH API to know when ICE is done."
Your comment on it
"Arguably, this is a bug. If you could extract this portion out of the SHA-256 work, I think we could treat it as such for Asterisk 11."
----
I would like to know why is it a bug?

Regards,
Nitesh Bansal
                
> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: asterisk_dtls.patch, chan_sip.c, ice_session.c, res_rtp_asterisk.c, res_rtp_asterisk.c
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list