[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Lorenzo Miniero (JIRA) noreply at issues.asterisk.org
Tue Jun 3 04:24:02 CDT 2014


    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218879#comment-218879 ] 

Lorenzo Miniero edited comment on ASTERISK-22961 at 6/3/14 4:23 AM:
--------------------------------------------------------------------

Hi,

I'm attaching a further patch (called asterisk-11.9.0-dtls.diff, listed above) along to those which have been submitted these latest few days. Andrea Suisani and I have worked on it within the framework of a collaboration among us, and this patch mostly includes the original DTLS fixes by Nitesh and me, plus the tsrtp issue someone mentioned before and some extras that were needed in order to get it working with outbound calls (or, in a few cases, working at all).

Specifically, as jag also already pointed out, we had to fix the ast_rtp_dtls_get_fingerprint method, as it would return NULL in case of outgoing calls. We also had to fix a problem in parsing DTLS, which not always resulted in a crypto context to be detected, thus occasionally leading to call failure. To make things easier and avoid JavaScript mangling, we replaced UDP/TLS/RTP/SAVPF with the RTP/SAVPF browsers expect: controversial choice, but it helped us move along.

The patch also includes the ASTERISK-23026 fix (https://issues.asterisk.org/jira/browse/ASTERISK-23026) as we noticed that from time to time (often, actually), there would be no audio in DTLS-SRTP calls. We found out the problem to be with ICE, actually, and specifically in a conflict between Asterisk and browsers on CONTROLLING/CONTROLLED roles. That patch forces a specific behaviour and so has not been completely accepted in that discussion, but it fixed the problem for us and so we thought we'd integrate it as well.

That said, this patch is obviously not meant to be considered for integration within the Asterisk main code as it is, but rather as a testbed for people to play with. Feedback on whether or not it works for people would definitely help find a concrete solution to the Asterisk DTLS issues. We have been trying this in the field (and in some production environments as well) and it seems to work fine, although we experienced some occasional force closes within the DTLS code that we wanted to investigate: more testing from people interested in the functionality would definitely help making this investigation easier.

Hope this helps!


was (Author: lminiero):
Hi,

I'm attaching a further patch along to those which have been submitted these latest few days. Andrea Suisani and I have worked on it within the framework of a collaboration among us, and this patch mostly includes the original DTLS fixes by Nitesh and me, plus the tsrtp issue someone mentioned before and some extras that were needed in order to get it working with outbound calls (or, in a few cases, working at all).

Specifically, as jag also already pointed out, we had to fix the ast_rtp_dtls_get_fingerprint method, as it would return NULL in case of outgoing calls. We also had to fix a problem in parsing DTLS, which not always resulted in a crypto context to be detected, thus occasionally leading to call failure. To make things easier and avoid JavaScript mangling, we replaced UDP/TLS/RTP/SAVPF with the RTP/SAVPF browsers expect: controversial choice, but it helped us move along.

The patch also includes the ASTERISK-23026 fix (https://issues.asterisk.org/jira/browse/ASTERISK-23026) as we noticed that from time to time (often, actually), there would be no audio in DTLS-SRTP calls. We found out the problem to be with ICE, actually, and specifically in a conflict between Asterisk and browsers on CONTROLLING/CONTROLLED roles. That patch forces a specific behaviour and so has not been completely accepted in that discussion, but it fixed the problem for us and so we thought we'd integrate it as well.

That said, this patch is obviously not meant to be considered for integration within the Asterisk main code as it is, but rather as a testbed for people to play with. Feedback on whether or not it works for people would definitely help find a concrete solution to the Asterisk DTLS issues. We have been trying this in the field (and in some production environments as well) and it seems to work fine, although we experienced some occasional force closes within the DTLS code that we wanted to investigate: more testing from people interested in the functionality would definitely help making this investigation easier.

Hope this helps!

> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 11.7.0, 11.9.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk-11.9.0-dtls.diff, asterisk_dtls.patch, backtrace (1).txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, Patch_11.10-Fixed-DTLS-issues.patch, Patch_11.9_JayNitesh_corrected.patch, Patch 11.9.zip, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list