[asterisk-bugs] [JIRA] (ASTERISK-25659) res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance

Tue Jul 5 07:47:57 CDT 2016

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25659?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Traud updated ASTERISK-25659:
---------------------------------------

    Attachment: dtls_centos_step_2.patch

Instead of replacing OpenSSL systemwide, I would go for a custom OpenSSL just for Asterisk. Examples for this are shown in ASTERISK-24815 and ASTERISK-25043. Furthermore, I recommend to insert {{SSLeay()}} and {{OPENSSL_VERSION_NUMBER}} somewhere in the code of Asterisk. That makes sure, you picked the right library version and the headers match the source code.

Anyway, I installed CentOS Linux 7 (1511) and analyzed this issue in depth. The team of Red Hat [backported|https://bugzilla.redhat.com/show_bug.cgi?id=1080128] {{SSL_CTX_set_ecdh_auto}}. With OpenSSL 1.0.2, the source code for TLS and DTLS got merged. Therefore in OpenSSL 1.0.1, that backport is incomplete and works for TLS only. It does not work for DTLS. The OpenSSL internal method {{dtls1_send_server_key_exchange}} (thanks to [{{ERR_func_error_string}}|https://www.openssl.org/docs/manmaster/crypto/ERR_error_string.html]) does not contain any auto code and raises the mentioned error. Since OpenSSL 1.0.2, {{ssl3_send_server_key_exchange}} manages both TLS and DTLS.

I changed my patch to cope with that situation. Please, see the newly attached {{dtls_centos_step_2.patch}}. Technically, it does not do anything different than your patch because in CentOS Linux 7, {{SSL_CTX_set_ecdh_auto}} does nothing in DTLS. Or stated differently: Your patch and my patch avoid that error. Anyway, I submitted {{dtls_centos_step_2.patch}} as solution for code review. That issue should be fixed with Asterisk 13.11.0 then. Until then, please, apply {{_step_1.patch}} and then {{_step_2.patch}}.

I created {{openssl-1.0.1e-ecdh-auto-dtls.patch}}, to enable {{SSL_CTX_set_ecdh_auto}} even for DTLS in CentOS Linux. However, that change is not required in production code, because all known WebRTC clients use/offer {{secp256r1}}. Therefore, just for completeness until this is fixed in RHEL and then in CentOS Linux itself:
{noformat}sudo yum install patch rpm-build
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
wget vault.centos.org/7.2.1511/updates/Source/SPackages/openssl-1.0.1e-51.el7_2.5.src.rpm
rpm -ivh ./openssl-1.0.1e-51.el7_2.5.src.rpm
wget issues.asterisk.org/jira/secure/attachment/54082/openssl-1.0.1e-ecdh-auto-dtls.patch
mv ./openssl-1.0.1e-ecdh-auto-dtls.patch ~/rpmbuild/SOURCES/
cd ~/rpmbuild/SPECS/
wget issues.asterisk.org/jira/secure/attachment/54083/openssl.spec.patch
patch -p0 <./openssl.spec.patch
rpmbuild -ba ./openssl.spec
cd ~/rpmbuild/RPMS/`uname -i`/
sudo rpm -ivh --force ./openssl-libs-1.0.1e-51.el7.centos.5.x86_64.rpm{noformat}Because of [another bug|https://bugzilla.redhat.com/show_bug.cgi?id=1335097], you have to change the date/time of your computer to 5/5/2016 before you build the libraries. Before you go for those steps, please, double-check if not a newer OpenSSL [for 7.2.1511|http://vault.centos.org/7.2.1511/updates/Source/SPackages/] or even a [newer CentOS Linux|http://vault.centos.org/] is available in the meantime. Otherwise you overwrite your OpenSSL with an older version. Thanks to [this|http://bradthemad.org/tech/notes/patching_rpms.php] and [that|https://wiki.centos.org/TipsAndTricks/UsingNetatalk] guides.

> res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance
> -----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25659
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25659
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.22.0, 13.9.1
>         Environment: Using the following on the server :
> CentOS	  	  	7.2	  	2015-11
> Asterisk	  	  	13.6	  	2015-10
> jansson  	  	  	2.7	  	2014-10-02
> PJSIP (pjproject)	2.4.5	2015-08-12
> sipML5  	  		2.0.2	2015-12
> Using the following on the client :
> CentOS  	  	  	7.2 KDE desktop
> Chrome Version  	47.0.2526.106 (64-bit) 
>            Reporter: Edwin Vandamme
>            Assignee: Alexander Traud
>            Severity: Minor
>         Attachments: asterisk.log, dtls_centos_step_1.patch, dtls_centos_step_2.patch, ecdh.patch, openssl-1.0.1e-ecdh-auto-dtls.patch, openssl.spec.patch
>
>
> This issue has been on the forum for over a week, but I did not get any feedback, http://forums.asterisk.org/viewtopic.php?f=1&t=96461&sid=528c724d236a38e60e868817462c6f26, so I have now escalated this as a bug report.
> Using the described environment, I get the following error in my Asterisk log :
> res_rtp_asterisk.c: DTLS failure occurred on RTP instance '0x7fe8c8024178' due to reason 'missing tmp ecdh key', terminating
> res_rtp_asterisk.c: RTP Read error: Unspecified. Hanging up.
> An earlier bug report listed this as a problem on FireFox : ASTERISK-25265
> It is said to be fixed in 13.6
> WebRTC is not yet in production on my system, due to the constant changes, but in earlier tests everything worked fine. As far as I can tell, it all started when Chrome forced the usage of https over http.
> Dialing from a WebRTC peer to Asterisks works just fine.
> For various reasons I use sip.conf, not pjsip.conf.
> Certificates used are propper certificates, not self signed versions.
> I attached (asterisk.log) part of the Asterisk log file with "sip debug on", start of call till failure.

--
This message was sent by Atlassian JIRA
(v6.2#6252)