[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

Tue May 27 18:27:45 CDT 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218519#comment-218519 ] 

JoshE commented on ASTERISK-22961:
----------------------------------

So there are a few misconceptions here.

First, the original patch *does* apply against Asterisk 11.6-11.9.  To patch cleanly, it requires that you have the Opus patches already applied to Asterisk.  Obviously, this can't be done for a production merge of the code, but it does work if you're trying to build off your own source tree.  IIRC, there may have been one manual adjustment to the patch, but it was extremely minor.

In addition, if you're using sipml5, you are definitely going to have to patch it in a few places, due mostly to issues with Chrome and Firefox on interpretation of the standards.

Thomas is also correct that an a=fingerprint modification is required for incoming SDP to the browser, as well as the "actpass" setting for DTLS.  Once I got this all in, everything worked normally for me.

However: there are a number of big stability issues with this patch when used at scale.  Seeing very frequent crashes in res_rtp_asterisk.c.

> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk_dtls.patch, backtrace (1).txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

--
This message was sent by Atlassian JIRA
(v6.2#6252)