[asterisk-users] Getting 'no shared cipher' on call to webrtc endpoint from asterisk-11.24.0

Alex Villací­s Lasso a_villacis at palosanto.com
Wed Oct 26 14:59:20 CDT 2016 

El 26/10/16 a las 13:16, Alex Villací­s Lasso escribió:
> I am making SIP calls using SIP.js and configuring Asterisk 11.x for websockets calls under CentOS 7. On 11.23.1 and earlier, I had to patch the code to disable auto negociation due to ASTERISK-25659. Now that the bug is supposedly fixed in commit 
> 8653da4fa228e1e289e09e5d024e11d24da87d94, I reverted my local patch. Calls from Firefox 49 to Asterisk connect normally. However, when Asterisk originates a call to Firefox, the call hangs up immediately with this message:
>
> [2016-10-26 12:38:09] ERROR[2888][C-00000004]: res_rtp_asterisk.c:2173 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f5f0802f378' due to reason 'no shared cipher', terminating
> [2016-10-26 12:38:09] WARNING[2888][C-00000004]: res_rtp_asterisk.c:3924 ast_rtcp_read: RTCP Read error: Unspecified.  Hanging up.
>
> I suspect this has something to do with the dtlscipher setting, which is currently not set anywhere in my setup.
>
> Is my suspicion correct? How do I debug which ciphers need to be enabled?
>

For Asterisk 11.24.0, the elliptic curve code is #ifdef'ed around HAVE_OPENSSL_EC . However, nowhere in the configure.ac is a check to enable HAVE_OPENSSL_EC. Therefore elliptic curve is always disabled on Asterisk 11.24.0 despite the intent of the code.


>
> -bash-4.2# openssl ciphers -v DEFAULT
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256) Mac=SHA384
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
> ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256) Mac=SHA1
> ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256) Mac=SHA256
> DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256) Mac=SHA256
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256) Mac=SHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA Enc=Camellia(256) Mac=SHA1
> DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS Enc=Camellia(256) Mac=SHA1
> ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
> ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
> ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
> ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
> ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
> ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
> AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA Enc=AESGCM(256) Mac=AEAD
> AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256) Mac=SHA256
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256) Mac=SHA1
> CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA Enc=Camellia(256) Mac=SHA1
> PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256) Mac=SHA1
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128) Mac=SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
> ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128) Mac=SHA1
> ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128) Mac=SHA256
> DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128) Mac=SHA256
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128) Mac=SHA1
> DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
> DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA Enc=Camellia(128) Mac=SHA1
> DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS Enc=Camellia(128) Mac=SHA1
> ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
> ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
> ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
> ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
> ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
> ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
> AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA Enc=AESGCM(128) Mac=AEAD
> AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128) Mac=SHA256
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128) Mac=SHA1
> SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
> CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA Enc=Camellia(128) Mac=SHA1
> PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128) Mac=SHA1
> ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
> ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
> ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
> ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
> PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
> KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
> KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
> KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5
> KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
> ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128) Mac=SHA1
> ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128) Mac=SHA1
> ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
> ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128) Mac=SHA1
> RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128) Mac=MD5
> PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128) Mac=SHA1
> KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128) Mac=SHA1
> KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128) Mac=MD5
>
>

More information about the asterisk-users mailing list