[asterisk-bugs] [JIRA] (ASTERISK-25659) res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance

Alexander Traud (JIRA) noreply at issues.asterisk.org
Wed Jun 22 08:09:57 CDT 2016 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25659?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Traud updated ASTERISK-25659:
---------------------------------------

     Reviewboard Link: https://gerrit.asterisk.org/3066
    Affects Version/s:     (was: 13.6.0)
                           (was: 13.8.2)
                           (was: 13.8.1)
                           (was: 13.8.0)
                           (was: 13.7.2)
                           (was: 13.7.1)
                           (was: 13.7.0)
                       11.22.0
                       13.9.1
             Assignee: Alexander Traud

CentOS 7 has added the symbol {{SSL_CTX_set_ecdh_auto}} in the header file {{openssl/ssl.h}} of their package {{openssl-devel}}. Therefore, the configure script of Asterisk detects this symbol to be available. It looks like, the CentOS team has backported that feature from the official OpenSSL 1.0.2 to their OpenSSL 1.0.1.

Edwin, one approach would be to file a support request (or bug report) with the CentOS team, how/when their {{SSL_CTX_set_ecdh_auto}} should be used. Whether it needs any additional initialization or what. Alternatively, please, find the source code of their OpenSSL port. Then, I have a look what magic the CentOS team did. Yet, I was not able to find the code, to investigate deeper.

Anyway, to get this issue fixed here in Asterisk, I adopted the approach of [~sarumjanuch], who copied my existing (and working) PFS code from {{main/tcptls.c}} (see his attachment {{res_rtp_asterisk.patch}} in ASTERISK-25265. For up-to-date changes, see the [added link|https://gerrit.asterisk.org/3066] to the review-board Gerrit, {{dtls_centos_step_1.patch}}, and {{dtls_centos_step_2.patch}}.

Those patches were tested with Google Chrome 51.0 and Mozilla Firefox 47.0. I tested with ECDHE-only cipher-suites. With DHE-only cipher-suites. With DHE-only cipher-suites without DH parameters. Both directions: Web browser as caller and callee. Furthermore, that original code for TLS was in Asterisk 13 since day one. Asterisk 13 is a production release since October 2014.

By the way, [~urbaniak] reported this issue with CentOS 7 back in August 2015 already. Unfortunately, he did not create a new issue or re-opened ASTERISK-25265. His report got missed. Therefore with that CentOS issue, please, let us continue here in this issue report.

> res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance
> -----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25659
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25659
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.22.0, 13.9.1
>         Environment: Using the following on the server :
> CentOS	  	  	7.2	  	2015-11
> Asterisk	  	  	13.6	  	2015-10
> jansson  	  	  	2.7	  	2014-10-02
> PJSIP (pjproject)	2.4.5	2015-08-12
> sipML5  	  		2.0.2	2015-12
> Using the following on the client :
> CentOS  	  	  	7.2 KDE desktop
> Chrome Version  	47.0.2526.106 (64-bit) 
>            Reporter: Edwin Vandamme
>            Assignee: Alexander Traud
>            Severity: Minor
>         Attachments: asterisk.log, dtls_centos_step_1.patch, dtls_centos_step_2.patch, ecdh.patch
>
>
> This issue has been on the forum for over a week, but I did not get any feedback, http://forums.asterisk.org/viewtopic.php?f=1&t=96461&sid=528c724d236a38e60e868817462c6f26, so I have now escalated this as a bug report.
> Using the described environment, I get the following error in my Asterisk log :
> res_rtp_asterisk.c: DTLS failure occurred on RTP instance '0x7fe8c8024178' due to reason 'missing tmp ecdh key', terminating
> res_rtp_asterisk.c: RTP Read error: Unspecified. Hanging up.
> An earlier bug report listed this as a problem on FireFox : ASTERISK-25265
> It is said to be fixed in 13.6
> WebRTC is not yet in production on my system, due to the constant changes, but in earlier tests everything worked fine. As far as I can tell, it all started when Chrome forced the usage of https over http.
> Dialing from a WebRTC peer to Asterisks works just fine.
> For various reasons I use sip.conf, not pjsip.conf.
> Certificates used are propper certificates, not self signed versions.
> I attached (asterisk.log) part of the Asterisk log file with "sip debug on", start of call till failure.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list