[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Juan Ramirez (JIRA) noreply at issues.asterisk.org
Mon Jun 2 18:52:56 CDT 2014 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juan Ramirez updated ASTERISK-22961:
------------------------------------

    Attachment: Patch_11.10-Fixed-DTLS-issues.patch

Ok, the attached patch should fix the problem with the WebRTC peers not being able to receive calls.

This patch contains all the modifications of the previous one, and it's based on Asterisk 11.10.

I modified the function {{ast_rtp_dtls_get_fingerprint}} in order to return the local one when the remote fingerprint is not set already.

Note that, besides {{dtlscertfile}} and {{dtlsprivatekey}} (which must both point to the corresponding files), *{{dtlssetup = actpass}}* must be set in the peer in order to prevent sipml5 from rejecting the call.


> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 11.7.0, 11.9.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk_dtls.patch, backtrace (1).txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, Patch_11.10-Fixed-DTLS-issues.patch, Patch_11.9_JayNitesh_corrected.patch, Patch 11.9.zip, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list