[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256
JoshE (JIRA)
noreply at issues.asterisk.org
Fri Jun 20 11:19:00 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=219700#comment-219700 ]
JoshE commented on ASTERISK-22961:
----------------------------------
A couple things that are still broken with the code, which I have ported to 11.10.2 with only minor adjustments to the patch. Placing a call on hold fails, with the following:
-- dtls_info_callback: read, where=16388, ret=256
-- >> SSLOK , W, CN
[2014-06-19 17:48:11] ERROR[32519][C-00000070]: res_rtp_asterisk.c:1991 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f00d8168368', terminating
Additionally, there is a crash path. It occurs when faxdetect is set to yes globally and you make an outbound call of any sort that reaches a fax machine. The crash is here:
#0 0x00007f269c7ca417 in dtls_srtp_check_pending (instance=0x7f26f007fb68, rtp=0x7f26f0016b10) at res_rtp_asterisk.c:1718
1718 pending = BIO_ctrl_pending(rtp->rtcp->write_bio);
#0 0x00007f269c7ca417 in dtls_srtp_check_pending (instance=0x7f26f007fb68, rtp=0x7f26f0016b10) at res_rtp_asterisk.c:1718
pending = 0
__PRETTY_FUNCTION__ = "dtls_srtp_check_pending"
#1 0x00007f269c7caf17 in __rtp_recvfrom (instance=0x7f26f007fb68, buf=0x7f26f0016cc8, size=8192, flags=0, sa=0x7f26953cfbc0, rtcp=0) at res_rtp_asterisk.c:1923
len = 172
rtp = 0x7f26f0016b10
srtp = 0x0
in = 0x7f26f0016cc8 "\200"
__PRETTY_FUNCTION__ = "__rtp_recvfrom"
Workaround temporarily, at least, is to put a check for rtp->rtcp == 0 in dtls_srtp_check_pending.
Hope that helps a little bit.
> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
> Key: ASTERISK-22961
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
> Affects Versions: 11.6.0, 11.7.0, 11.9.0, 12.0.0-beta2
> Reporter: Jay Jideliov
> Assignee: Joshua Colp
> Attachments: 11.7 patched.zip, asterisk-11.10.0-dtls.patch, asterisk-11.9.0-dtls.diff, asterisk_dtls.patch, backtrace (1).txt, backtrace.txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, Patch 11.9.zip, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list