[asterisk-bugs] [JIRA] (ASTERISK-25659) res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance

Edwin Vandamme (JIRA) noreply at issues.asterisk.org
Wed Jun 22 14:49:57 CDT 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=231117#comment-231117 ] 

Edwin Vandamme edited comment on ASTERISK-25659 at 6/22/16 2:49 PM:
--------------------------------------------------------------------

Alexander,

I have been using Asterisk 13 from day one as I upgraded from 12.
The problem only popped up after 13.6 .
Though shortly before that CentOS upgraded from 7.1 to 7.2 (that would have been 201511)
If I remember correctly I did switch back to 13.5 and that did not have a problem with CentOS 7.2.
I did try installing OpenSSL (not the centOS version) on CentOS 7.2 from source and that showed the same problem.

All this led me to believe the problem lies with Asterisk.

In hindsight I rather think it has to do with the picking order of the required cipher.
I believe recently there was something released to set the available ciphers, so that might fix the problem, but I need to dive into it again to be 100% sure.


So I will try and :
1) get the CentOS code for OpenSSL, so you can have a look at it.
2) verify if the cipher can be set.
3) verify if the latest Chrome 51.0.2704.84 (64-bit) might fix the problem (in case the browser selects the cipher)

As my systems are still not in production (don't you hate that), I have the means to do some testing on a real life environment instead of a test environment.



was (Author: pay123):
Alexander,

I have been using Asterisk 13 from day one as I upgraded from 12.
The problem only popped up after 13.6 .
Though shortly before that CentOS upgraded from 7.1 to 7.2 (that would have been 201511)
If I remember correctly I did switch back to 13.5 and that did not have a problem with CentOS 7.2.
I did try installing OpenSSL on CentOS 7.2 from source and that showed the same problem.

All this led me to believe the problem lies with Asterisk.

In hindsight I rather think it has to do with the picking order of the required cipher.
I believe recently there was something released to set the available ciphers, so that might fix the problem, but I need to dive into it again to be 100% sure.


So I will try and :
1) get the CentOS code for OpenSSL, so you can have a look at it.
2) verify if the cipher can be set.
3) verify if the latest Chrome 51.0.2704.84 (64-bit) might fix the problem (in case the browser selects the cipher)

As my systems are still not in production (don't you hate that), I have the means to do some testing on a real life environment instead of a test environment.


> res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance
> -----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25659
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25659
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.22.0, 13.9.1
>         Environment: Using the following on the server :
> CentOS	  	  	7.2	  	2015-11
> Asterisk	  	  	13.6	  	2015-10
> jansson  	  	  	2.7	  	2014-10-02
> PJSIP (pjproject)	2.4.5	2015-08-12
> sipML5  	  		2.0.2	2015-12
> Using the following on the client :
> CentOS  	  	  	7.2 KDE desktop
> Chrome Version  	47.0.2526.106 (64-bit) 
>            Reporter: Edwin Vandamme
>            Assignee: Alexander Traud
>            Severity: Minor
>         Attachments: asterisk.log, dtls_centos_step_1.patch, dtls_centos_step_2.patch, ecdh.patch
>
>
> This issue has been on the forum for over a week, but I did not get any feedback, http://forums.asterisk.org/viewtopic.php?f=1&t=96461&sid=528c724d236a38e60e868817462c6f26, so I have now escalated this as a bug report.
> Using the described environment, I get the following error in my Asterisk log :
> res_rtp_asterisk.c: DTLS failure occurred on RTP instance '0x7fe8c8024178' due to reason 'missing tmp ecdh key', terminating
> res_rtp_asterisk.c: RTP Read error: Unspecified. Hanging up.
> An earlier bug report listed this as a problem on FireFox : ASTERISK-25265
> It is said to be fixed in 13.6
> WebRTC is not yet in production on my system, due to the constant changes, but in earlier tests everything worked fine. As far as I can tell, it all started when Chrome forced the usage of https over http.
> Dialing from a WebRTC peer to Asterisks works just fine.
> For various reasons I use sip.conf, not pjsip.conf.
> Certificates used are propper certificates, not self signed versions.
> I attached (asterisk.log) part of the Asterisk log file with "sip debug on", start of call till failure.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list