[asterisk-bugs] [JIRA] (ASTERISK-22961) [patch] DTLS-SRTP not working with SHA-256

SirLouen (JIRA) noreply at issues.asterisk.org
Wed May 28 14:30:44 CDT 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218552#comment-218552 ] 

SirLouen edited comment on ASTERISK-22961 at 5/28/14 2:29 PM:
--------------------------------------------------------------

@NITESH BANSAL, I applied patch to a clean 11.4.0 and found 1 error, any suggestions?
patching file res/res_rtp_asterisk.c
Hunk #1 succeeded at 123 (offset -2 lines).
Hunk #2 succeeded at 264 (offset -4 lines).
Hunk #3 succeeded at 289 (offset -4 lines).
Hunk #4 FAILED at 362.

I see in the code /* VP8: sequence number for the RTCP FIR FCI */
Are you applying a patch before? Meetecho's Opus/VP8 or something like this?

EDIT: Ok, applying patch ASTERISK-21981
EDIT2: After applying the patch:
---> INVITE
<--- INVITE 401
---> ACK
----> INVITE
<---- INVITE 488

[May 28 13:15:15] WARNING[22982][C-00000002]: chan_sip.c:10445 process_sdp: Processed DTLS [FALSE]
[May 28 13:15:15] WARNING[22982][C-00000002]: chan_sip.c:10447 process_sdp: Rejecting secure audio stream without encryption details: audio 53955 UDP/TLS/RTP/SAVPF 111 103 104 0 8 106 105 13 126

<--- Reliably Transmitting (no NAT) to my_ip:5060 --->
SIP/2.0 488 Not acceptable here

EDIT3: Ok Found the problem. I was putting the DTLS sip.conf configurations in the [general] tab instead of the concrete peer.

Now New error:
[May 28 15:20:42] ERROR[23967][C-00000000]: res_rtp_asterisk.c:800 ast_rtp_dtls_set_configuration: Specified private key file '/etc/asterisk/keys/asterisk.pem' for RTP instance '0x7f3ccc020718' could not be used
[May 28 15:20:42] ERROR[23967][C-00000000]: chan_sip.c:5851 dialog_initialize_dtls_srtp: Attempted to set an invalid DTLS-SRTP configuration on RTP instance '0x7f3ccc020718'

I used the ast_tls_cert script to generate the certs as explained here
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial


was (Author: sirlouen):
@NITESH BANSAL, I applied patch to a clean 11.4.0 and found 1 error, any suggestions?
patching file res/res_rtp_asterisk.c
Hunk #1 succeeded at 123 (offset -2 lines).
Hunk #2 succeeded at 264 (offset -4 lines).
Hunk #3 succeeded at 289 (offset -4 lines).
Hunk #4 FAILED at 362.

I see in the code /* VP8: sequence number for the RTCP FIR FCI */
Are you applying a patch before? Meetecho's Opus/VP8 or something like this?

EDIT: Ok, applying patch ASTERISK-21981
EDIT2: After applying the patch:
---> INVITE
<--- INVITE 401
---> ACK
----> INVITE
<---- INVITE 488

[May 28 13:15:15] WARNING[22982][C-00000002]: chan_sip.c:10445 process_sdp: Processed DTLS [FALSE]
[May 28 13:15:15] WARNING[22982][C-00000002]: chan_sip.c:10447 process_sdp: Rejecting secure audio stream without encryption details: audio 53955 UDP/TLS/RTP/SAVPF 111 103 104 0 8 106 105 13 126

<--- Reliably Transmitting (no NAT) to my_ip:5060 --->
SIP/2.0 488 Not acceptable here

What might be happening? I have my self-signed server with 
dtlsenable = yes
dtlsverify = no
dtlscipher = ALL
dtlscertfile = /root/myca/certs/crt.server1.pem
dtlsprivatekey = /root/myca/private/key.ca.cg.pem 
dtlscafile = /root/myca/certs/crt.ca.cg.pem
dtlscapath = /root/myca/certs
dtlssetup = passive

The other sip.conf configuration was exactly the same before when I was using SDES successfully in Chrome

> [patch] DTLS-SRTP not working with SHA-256
> ------------------------------------------
>
>                 Key: ASTERISK-22961
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22961
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/SRTP, Channels/chan_sip/WebSocket
>    Affects Versions: 11.6.0, 12.0.0-beta2
>            Reporter: Jay Jideliov
>         Attachments: 11.7 patched.zip, asterisk_dtls.patch, backtrace (1).txt, chan_sip.c, dtls_retransmission.patch, ice_session.c, jssip no ring.txt, res_rtp_asterisk.c, res_rtp_asterisk.c, srtp_dtls.patch, srtp_dtls.patch, srtp_dtls.patch, wireshark.txt
>
>
> Recently it became possible to use websocket on asterisk without a proxy previously necessary to make calls from the web browser. Although partial support has been added, full browser cross-operability has not been achieved yet. However, it seems to be a relatively easy task.
> Tested on Chrome+SIPML5+Asterisk 11, the connection can be established and works fine. However, due to the fact that Firefox sends SHA-256 packets which are not supported by asterisk, hence the support for this browser is limited by this issue.
> Step 1: Adding certificates to support DTLS
> dtlsenable = yes
> dtlsverify = no
> dtlscertfile=/etc/asterisk/keys/softphone.pem
> dtlsprivatekey=/etc/asterisk/keys/key.pem
> dtlscafile=/etc/asterisk/keys/key.pem
> Step 2: Making a call
> [Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list