[asterisk-bugs] [JIRA] (ASTERISK-25659) res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance

Alexander Traud (JIRA) noreply at issues.asterisk.org
Mon Jun 27 07:29:57 CDT 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=231196#comment-231196 ] 

Alexander Traud commented on ASTERISK-25659:
--------------------------------------------

Since June 2015, Firefox requires PFS based cipher suites for DTLS. Asterisk 13.6.0 added support for PFS because its DTLS part should have allowed PFS since day one, in October 2012. By this change, one additional symbol of OpenSSL is used, because with PFS not just the ‘Cipher Suite’ but an ‘Elliptic Curve’ must be negotiated as well. A web browser lists his Elliptic Curves, for example:
- Google Chrome 51.0 sends {{0x001d, secp256r1, secp384r1}}
- Mozilla Firefox 47.0 sends {{secp256r1, secp384r1, secp521r1}}

Asterisk (actually OpenSSL within Asterisk) goes for the first supported curve. Therefore, {{secp256r1}} in any case.

The symbol {{SSL_CTX_set_ecdh_auto}} is available only with newer versions of OpenSSL but offers the possibility to auto-negotiate. Therefore the author -- who added PFS for DTLS ([~mwduncan]) -- changed the configure script of Asterisk to detect whether that auto-negotiate symbol is present in your OpenSSL or not. That change of Asterisk 13.6.0 was of no issue on Ubuntu 14.04 LTS or Ubuntu 16.04 LTS. Even CentOS 6 is of no issue. This is an interoperability issue with CentOS 7. The CentOS team backported {{SSL_CTX_set_ecdh_auto}} from OpenSSL 1.0.2 to their OpenSSL 1.0.1. However, that backport does not work as expected.

Or stated differently: A change in Asterisk 13.6.0 _revealed_ an issue on CentOS 7. If you want to workaround that from a configuration file, you have to go for {{dtlscipher=AES128-SHA}}. The list of cipher-suites on the HTTP (Secure WebSocket) layer do not matter because that is TLS. It is just the DTLS layer, which has this issue. However with that solution, you disable PFS and therefore loose compatibility with Mozilla Firefox.

That source code and [this patch list|https://git.centos.org/tree/rpms!openssl!/5fee79a733e7bcfa468ae8f400bad40a1002c8c5/SOURCES] confirms that the CentOS team backported that feature. However, it does not work as expected. I was not able to find the difference/cause on the first glance, therefore please, file a bug report with CentOS. By the way, could you please test Mozilla Firefox? Perhaps it is this first unsupported Elliptic Curve which causes this issue in that backport. I looked through the backport but did not see why it fails. However, a more concrete analysis would take much longer. If you could debug your OpenSSL and determine which Elliptic Curve is returned by {{tls1_shared_curve}} within OpenSSL -- that might help the CentOS team to find the cause.

I hope this clarifies the situation. When there are any further questions, please, do not hesitate to ask. As a workaround, I modified my TLS-PFS patch for DTLS. That change is exactly your proposed solution (6) from January. That solves the issue with is specific to CentOS 7.

> res_rtp_asterisk: ECDH not negotiated causing DTLS failure occurred on RTP instance
> -----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25659
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25659
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.22.0, 13.9.1
>         Environment: Using the following on the server :
> CentOS	  	  	7.2	  	2015-11
> Asterisk	  	  	13.6	  	2015-10
> jansson  	  	  	2.7	  	2014-10-02
> PJSIP (pjproject)	2.4.5	2015-08-12
> sipML5  	  		2.0.2	2015-12
> Using the following on the client :
> CentOS  	  	  	7.2 KDE desktop
> Chrome Version  	47.0.2526.106 (64-bit) 
>            Reporter: Edwin Vandamme
>            Assignee: Alexander Traud
>            Severity: Minor
>         Attachments: asterisk.log, dtls_centos_step_1.patch, dtls_centos_step_2.patch, ecdh.patch
>
>
> This issue has been on the forum for over a week, but I did not get any feedback, http://forums.asterisk.org/viewtopic.php?f=1&t=96461&sid=528c724d236a38e60e868817462c6f26, so I have now escalated this as a bug report.
> Using the described environment, I get the following error in my Asterisk log :
> res_rtp_asterisk.c: DTLS failure occurred on RTP instance '0x7fe8c8024178' due to reason 'missing tmp ecdh key', terminating
> res_rtp_asterisk.c: RTP Read error: Unspecified. Hanging up.
> An earlier bug report listed this as a problem on FireFox : ASTERISK-25265
> It is said to be fixed in 13.6
> WebRTC is not yet in production on my system, due to the constant changes, but in earlier tests everything worked fine. As far as I can tell, it all started when Chrome forced the usage of https over http.
> Dialing from a WebRTC peer to Asterisks works just fine.
> For various reasons I use sip.conf, not pjsip.conf.
> Certificates used are propper certificates, not self signed versions.
> I attached (asterisk.log) part of the Asterisk log file with "sip debug on", start of call till failure.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list