[asterisk-dev] Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Fri Jan 24 03:28:51 CST 2014

On 22/02/13 22:09, Matthew Jordan wrote:
> On 02/22/2013 10:40 AM, Mitja Kaučič wrote:
>> Hello Joshua and Matthew.
>>
>> I would be happy to contribute with a patch.
>> I just need folowing info:
>> 1. With witch client can i test the current implementation of DTLS-SRTP on asterisk?
> They're rather hard to find.
>
> When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly
> exhaustive search looking for clients that (a) supported DTLS-SRTP and
> (b) could be pointed at Asterisk. At the time, no clients met both
> criteria. Those that did support DTLS-SRTP were working hard on creating
> closed networks that did not allow another B2BUA to participate.
>
> We tested it by pointing two Asterisk instances at each other and
> running Wireshark. And starting at a lot of pcaps.
>
> That situation may have changed.
>
>> 2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes do i need dtlsSverify and to set dtls certificats for a basic functionality?
> You need a bit more than that. You'll need:
> 1) The correct version of OpenSSL that supports DTLS installed and
> Asterisk built using it
> 2) CA and cert files generated that will be used by the RTP engine
> 3) Properly configured endpoints. For a test run of Asterisk <->
> Asterisk, the configuration of one instance of Asterisk looked something
> like this:
> [snip]

Was any patch contributed, can anybody comment on whether DTLS-SRTP
support has been extended to work with Firefox yet?

With the Asterisk 11.7 packages on Debian, calls from Mozilla users are
rejected with the sha-2 errors (see the errors and my config below)

Notice that I even tried with dtlsverify=no and dtlscipher=ALL and it
still fails.

OpenSSL version is 1.0.1e-2+deb7u3

Users are encountering this problem on the public test site
http://www.sip5060.net/test-calls - e.g.
http://danielpocock.com/comment/11269#comment-11269

[Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:11034
process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received
on dialog 'j9quvgkcjme7psetsr4q'
[Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:10487
process_sdp: Rejecting secure audio stream without encryption details:
audio 51556 RTP/SAVPF 109 0 8 101

dtlsenable = yes
dtlsverify = no
; dtlsrekey = 60
dtlscertfile = /etc/ssl/ssl.crt/wsrelay.sip5060.net.pem
dtlsprivatekey = /etc/ssl/private/wsrelay.sip5060.net-key.pem
dtlscipher = ALL  ; Cipher to use for TLS negotiation
;                                    ; A list of valid SSL cipher
strings can be found at:
;                                    ;
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
; dtlscafile = file                  ; Path to certificate authority
certificate
dtlscapath = /etc/ssl/certs
dtlssetup = passive