[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Wed Jun 4 13:09:59 CDT 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=219022#comment-219022 ] 

Juan Ramirez commented on ASTERISK-22961:
-----------------------------------------

@Agustí

The patch modified the function {{ast_rtp_dtls_get_fingerprint}}, which now returns the local fingerprint when making outbound calls.

The local fingerprint is initialized only if the peer is properly configured, the fingerprint is not created if there's no certificate associated with the peer being called.

Here is how I configured my WebRTC peer in order to be able to send and receive calls:

{noformat}
[3000]
type=peer
secret=1234
host=dynamic
context=webrtc_test
encryption=yes
transport=udp,ws,wss
icesupport=yes
avpf=yes
dtlsenable=yes
dtlsverify=no
dtlscertfile=/home/ichramm/devel/packages/asterisk/current/ssl_certificate/certs/crt.ca.pem
dtlsprivatekey=/home/ichramm/devel/packages/asterisk/current/ssl_certificate/private/key.ca.pem
dtlssetup=actpass
{noformat}

. . .
Can you confirm the following code is present in {{res_rtp_asterisk.c}}?

{noformat}
if  (rtp->remote_fingerprint_type == AST_RTP_DTLS_HASH_NONE) {
	// no remote fingerprint yet, it means we are ones starting communication
	return rtp->local_fingerprint;
}
{noformat}

There's also a log in Asterisk, which is present if the fingerprint couldn't be obtained: {{No fingerprint was added to SDP, this may not work}}

Note: The new patch uploaded by @Lorenzo adds a new check there, which forces the user to request a SHA-256 fingerprint, this is the default so there will be no problem with it.

. . . 

@Ximena:

Have you tried to pass {{session->endpoint->media.rtp.dtls_cfg}} as parameter? I'm not sure if it's going to work 'cause a lot has changed in Asterisk 12.. but it worth a try!

> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 11.7.0, 11.9.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk-11.9.0-dtls.diff, asterisk_dtls.patch, backtrace (1).txt, backtrace.txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, Patch_11.10-Fixed-DTLS-issues.patch, Patch_11.9_JayNitesh_corrected.patch, Patch 11.9.zip, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message was sent by Atlassian JIRA
(v6.2#6252)