[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256
Jay Jideliov (JIRA)
noreply at issues.asterisk.org
Mon Feb 24 17:26:03 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215614#comment-215614 ]
Jay Jideliov edited comment on ASTERISK-22961 at 2/24/14 5:25 PM:
------------------------------------------------------------------
Nitesh,
Was the JS hack you've implemented a solution to the incoming call issue? What I currently get is a failure to get local SDP on incoming calls (and the call fails).
Since we are using DTLS (not SDES), the key exchange as far as I understand is done via a=fingerprint, not a=crypto. So from Chrome to Asterisk it is behaving as expected, but it sends the wrong packets from Asterisk to the receiving side
a=fingerprint:sha-256 40:30:A2:FD:C4:C8:CF:44:FB:7F:3C:4A:34:B2:08:25:CC:27:C7:78:16:8B:3D:34:5B:31:A5:28:3A:16:A0:FF
I have seen the issue of incoming calls in a number of topics and issues, so am trying to get to the bottom of it at last.
Here is what I have in SIPML5:
{code:title=SRTP|borderStyle=solid}
// HACK: Nightly 20.0a1 uses RTP/SAVPF for DTLS-SRTP which is not correct. More info at https://bugzilla.mozilla.org/show_bug.cgi?id=827932.
if(tmedia_session_jsep01.mozThis){
if(o_hdr_M.s_proto == "RTP/SAVPF"){
o_hdr_M.s_proto = "UDP/TLS/RTP/SAVPF";
}
}
{code}
Thanks.
was (Author: jideliov):
Nitesh,
Was the JS hack you've implemented a solution to the incoming call issue? What I currently get is a failure to get local SDP on incoming calls (and the call fails).
Since we are using DTLS (not SDES), the key exchange as far as I understand is done via a=fingerprint, not a=crypto. So from Chrome to Asterisk it is behaving as expected, but it sends the wrong packets from Asterisk to the receiving side
a=fingerprint:sha-256 40:30:A2:FD:C4:C8:CF:44:FB:7F:3C:4A:34:B2:08:25:CC:27:C7:78:16:8B:3D:34:5B:31:A5:28:3A:16:A0:FF
I have seen the issue of incoming calls in a number of topics and issues, so am trying to get to the bottom of it at last.
Here is what I have in SIPML5:
{code:title=Bar.javascript|borderStyle=solid}
if (b.ao_hdr_A[d].s_field == "crypto") {
b.s_proto = "RTP/SAVPF";
break
}
while ((e = f(this.o_sdp_ro, b.s_media, "crypto", d++))) {
h( e );
b.s_proto = "RTP/SAVPF"
}
if ((e = f(this.o_sdp_ro, b.s_media, "fingerprint", 0))) {
h(e);
if ((e = f(this.o_sdp_ro, b.s_media, "setup", 0))) {
h(e)
}
if ((e = f(this.o_sdp_ro, b.s_media, "connection", 0))) {
h(e)
}
b.s_proto = "UDP/TLS/RTP/SAVP"
}
if (tmedia_session_jsep01.mozThis && b.s_proto.indexOf("UDP/TLS/RTP/SAVP") != -1) {
b.s_proto = "RTP/SAVPF"
}
[5:42:51 PM] Pavel Kukin: while ((b = this.o_sdp_ro.get_header_at(tsdp_header_type_e.M, g++))) {
if (!tmedia_session_jsep01.mozThis && b.s_proto.indexOf("SAVP") < 0) {
for (d = 0; d < b.ao_hdr_A.length; ++d) {
if (b.ao_hdr_A[d].s_field == "crypto") {
b.s_proto = "RTP/SAVPF";
break
}
}
}
if (!tmedia_session_jsep01.mozThis && b.s_proto.indexOf("SAVP") < 0) {
d = 0;
while ((e = f(this.o_sdp_ro, b.s_media, "crypto", d++))) {
h(e);
b.s_proto = "RTP/SAVPF"
}
}
if (tmedia_session_jsep01.mozThis && b.s_proto.indexOf("SAVP") < 0) {
if ((e = f(this.o_sdp_ro, b.s_media, "fingerprint", 0))) {
h(e);
if ((e = f(this.o_sdp_ro, b.s_media, "setup", 0))) {
h(e)
}
if ((e = f(this.o_sdp_ro, b.s_media, "connection", 0))) {
h(e)
}
b.s_proto = "UDP/TLS/RTP/SAVP"
}
}
if (tmedia_session_jsep01.mozThis && b.s_proto.indexOf("UDP/TLS/RTP/SAVP") != -1) {
b.s_proto = "RTP/SAVPF"
}
}
{code}
Thanks.
> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
> Key: ASTERISK-22961
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
> Affects Versions: 11.6.0, 12.0.0-beta2
> Reporter: Jay Jideliov
> Attachments: 11.7 patched.zip, asterisk_dtls.patch, chan_sip.c, ice_session.c, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list