[asterisk-dev] Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Fri Jan 24 03:59:59 CST 2014

Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs
an additional callback in the code to always return a success. Nitesh and I
provided some patches here:

https://issues.asterisk.org/jira/browse/ASTERISK-22961

Mine was specifically targeted at getting Firefox to work, but I only
tested incoming calls. I didn't test Nitesh's one, but apparently he
managed to get it to work as well.

Lorenzo

2014/1/24 Daniel Pocock <daniel at pocock.com.au>

> On 22/02/13 22:09, Matthew Jordan wrote:
> > On 02/22/2013 10:40 AM, Mitja Kaučič wrote:
> >> Hello Joshua and Matthew.
> >>
> >> I would be happy to contribute with a patch.
> >> I just need folowing info:
> >> 1. With witch client can i test the current implementation of DTLS-SRTP
> on asterisk?
> > They're rather hard to find.
> >
> > When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly
> > exhaustive search looking for clients that (a) supported DTLS-SRTP and
> > (b) could be pointed at Asterisk. At the time, no clients met both
> > criteria. Those that did support DTLS-SRTP were working hard on creating
> > closed networks that did not allow another B2BUA to participate.
> >
> > We tested it by pointing two Asterisk instances at each other and
> > running Wireshark. And starting at a lot of pcaps.
> >
> > That situation may have changed.
> >
> >> 2. To configure DTLS-SRTP properly is it enough to just set
> dtlsenable=yes do i need dtlsSverify and to set dtls certificats for a
> basic functionality?
> > You need a bit more than that. You'll need:
> > 1) The correct version of OpenSSL that supports DTLS installed and
> > Asterisk built using it
> > 2) CA and cert files generated that will be used by the RTP engine
> > 3) Properly configured endpoints. For a test run of Asterisk <->
> > Asterisk, the configuration of one instance of Asterisk looked something
> > like this:
> > [snip]
>
> Was any patch contributed, can anybody comment on whether DTLS-SRTP
> support has been extended to work with Firefox yet?
>
> With the Asterisk 11.7 packages on Debian, calls from Mozilla users are
> rejected with the sha-2 errors (see the errors and my config below)
>
> Notice that I even tried with dtlsverify=no and dtlscipher=ALL and it
> still fails.
>
> OpenSSL version is 1.0.1e-2+deb7u3
>
> Users are encountering this problem on the public test site
> http://www.sip5060.net/test-calls - e.g.
> http://danielpocock.com/comment/11269#comment-11269
>
>
> [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:11034
> process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received
> on dialog 'j9quvgkcjme7psetsr4q'
> [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:10487
> process_sdp: Rejecting secure audio stream without encryption details:
> audio 51556 RTP/SAVPF 109 0 8 101
>
> dtlsenable = yes
> dtlsverify = no
> ; dtlsrekey = 60
> dtlscertfile = /etc/ssl/ssl.crt/wsrelay.sip5060.net.pem
> dtlsprivatekey = /etc/ssl/private/wsrelay.sip5060.net-key.pem
> dtlscipher = ALL  ; Cipher to use for TLS negotiation
> ;                                    ; A list of valid SSL cipher
> strings can be found at:
> ;                                    ;
> http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
> ; dtlscafile = file                  ; Path to certificate authority
> certificate
> dtlscapath = /etc/ssl/certs
> dtlssetup = passive
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140124/83feab64/attachment.html>