[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Juan Ramirez (JIRA) noreply at issues.asterisk.org
Tue Jun 3 16:01:56 CDT 2014


    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218965#comment-218965 ] 

Juan Ramirez edited comment on ASTERISK-22961 at 6/3/14 4:00 PM:
-----------------------------------------------------------------

@Agustí:
The patch removes the variable {{anonymous_string}}, maybe the patch failed somewhere, I believe removing the usage here should be enough, look:

{noformat}
 	struct ast_party_id connected_id;
-	const char *anonymous_string = "\"Anonymous\" <sip:anonymous at anonymous.invalid>";
...
...
-			/* trust_id_outbound = legacy - behave in a non RFC-3325 compliant manner and send anonymized data when
-			 * when handling private data. */
-			if ((lid_pres & AST_PRES_RESTRICTION) == AST_PRES_ALLOWED) {
-				ast_str_set(&tmp, -1, "\"%s\" <sip:%s@%s>", lid_name, lid_num, fromdomain);
-			} else {
-				ast_str_set(&tmp, -1, "%s", anonymous_string);
-			}
-		}
-		add_header(req, "P-Asserted-Identity", ast_str_buffer(tmp));
-	} else {
{noformat}

@Andrea:

@Lorenzo and @Andrea: Thank you very much for your efforts, I was having the no audio issue from time to time but couldn't figure out what was going on..

Can you isolate the changes you made in order to fix the ICE negotiation problem? I took a peek in the other issue and found only this:

{noformat}
@@ -1861,7 +2439,7 @@
 	passwd = pj_str(rtp->local_passwd);
 
 	/* Create an ICE session for ICE negotiation */
-	if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_UNKNOWN, 2,
+	if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_CONTROLLING, 2,
 			&ast_rtp_ice_sess_cb, &ufrag, &passwd, &rtp->ice) == PJ_SUCCESS) {
 		/* Make this available for the callbacks */
 		rtp->ice->user_data = rtp;
@@ -1973,7 +2551,14 @@
{noformat}

Is that enough?

BTW, answering @Andrea's question, I'm using openssl 1.0.1.g and had no segfaults so far (only tested a few calls anyway)

Juan



was (Author: ichramm):
@Agustí:
The patch removes the variable {{anonymous_string}}, maybe the patch failed somewhere, I believe removing the usage here should be enough, look:

{noformat}
 	struct ast_party_id connected_id;
-	const char *anonymous_string = "\"Anonymous\" <sip:anonymous at anonymous.invalid>";
...
...
-			/* trust_id_outbound = legacy - behave in a non RFC-3325 compliant manner and send anonymized data when
-			 * when handling private data. */
-			if ((lid_pres & AST_PRES_RESTRICTION) == AST_PRES_ALLOWED) {
-				ast_str_set(&tmp, -1, "\"%s\" <sip:%s@%s>", lid_name, lid_num, fromdomain);
-			} else {
-				ast_str_set(&tmp, -1, "%s", anonymous_string);
-			}
-		}
-		add_header(req, "P-Asserted-Identity", ast_str_buffer(tmp));
-	} else {
{noformat}

@Andrea:

@Lorenzo and @Andrea: Thank you very much for your efforts, I was having the no audio issue from time to time but couldn't figure out what was going on..

Can you isolate the changes you made in order to fix the ICE negotiation problem? I took a peek in the other issue and found only this:

{noformat}
@@ -1861,7 +2439,7 @@
 	passwd = pj_str(rtp->local_passwd);
 
 	/* Create an ICE session for ICE negotiation */
-	if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_UNKNOWN, 2,
+	if (pj_ice_sess_create(&stun_config, NULL, PJ_ICE_SESS_ROLE_CONTROLLING, 2,
 			&ast_rtp_ice_sess_cb, &ufrag, &passwd, &rtp->ice) == PJ_SUCCESS) {
 		/* Make this available for the callbacks */
 		rtp->ice->user_data = rtp;
@@ -1973,7 +2551,14 @@
{noformat}

Is that enough?

BTW, answering @Andrea's question, I'm using openssl 1.0.1 and had no segfaults so far (only tested a few calls anyway)

Juan


> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 11.7.0, 11.9.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk-11.9.0-dtls.diff, asterisk_dtls.patch, backtrace (1).txt, backtrace.txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, Patch_11.10-Fixed-DTLS-issues.patch, Patch_11.9_JayNitesh_corrected.patch, Patch 11.9.zip, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list