<div dir="ltr">From this change (res_rtp_asterisk): ast 13.10 to 13.11 webrtc JSSIP stop working, failing with<div><br></div><div><p style="margin:0px;font-size:10px;line-height:normal;font-family:Monaco;color:rgb(244,244,244);background-color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">chan_sip.c:4083 retrans_pkt: Hanging up call <a href="http://7238b48c11581d4166b899bf747a05f7@130.211.62.184:0">7238b48c11581d4166b899bf747a05f7@130.211.62.184:0</a> - no reply to our critical packet (see <a href="https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions">https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions</a>).</span></p><div><br></div><div><br></div><div>is there any way to configure to have the previous behaviour?</div><div>Im trying to set dtlscipher=AES128-SHA but I always see </div><div><br></div><div>DTLS ECDH initialized (automatic), faster PFS enabled</div><div><br></div><div>any idea? </div><div><br></div><div>Thanks!<br><div><table class="inbox-inbox-highlight inbox-inbox-tab-size inbox-inbox-js-file-line-container" style="box-sizing:border-box;border-collapse:collapse;color:rgb(51,51,51);font-family:-apple-system,blinkmacsystemfont,'segoe ui',roboto,helvetica,arial,sans-serif,'apple color emoji','segoe ui emoji','segoe ui symbol';font-size:14px;font-variant-ligatures:normal"><tbody style="box-sizing:border-box"><tr style="box-sizing:border-box"><td id="inbox-inbox-LC497" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">res_rtp_asterisk</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L498" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC498" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">------------------</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L499" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC499" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre"> * The DTLS part in Asterisk now supports Perfect Forward Secrecy (PFS).</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L500" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC500" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">   Enabling PFS is attempted by default, and is dependent on the configuration</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L501" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC501" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">   of the module using TLS.</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L502" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC502" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">   - Ephemeral ECDH (ECDHE) is enabled by default. To disable it, do not</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L503" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC503" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     specify a ECDHE cipher suite in sip.conf, for example:</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L504" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC504" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">       dtlscipher=AES128-SHA</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L505" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC505" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">   - Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L506" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC506" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     into the private key file, e.g., sip.conf dtlsprivatekey. For example:</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L507" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC507" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">       openssl dhparam -out ./dh.pem 2048</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L508" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC508" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">   - Because clients expect the server to prefer PFS, and because OpenSSL sorts</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L509" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"><br></td><td id="inbox-inbox-LC509" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     its cipher suites by bit strength, see "openssl ciphers -v DEFAULT".</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L510" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC510" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     Consider re-ordering your cipher suites in the respective configuration</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L511" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC511" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     file. For example:</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L512" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC512" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">       dtlscipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256</td></tr><tr style="box-sizing:border-box"><td id="inbox-inbox-L513" class="inbox-inbox-blob-num inbox-inbox-js-line-number" style="box-sizing:border-box;padding:0px 10px;width:50px;min-width:50px;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;line-height:20px;color:rgba(0,0,0,0.298039);text-align:right;white-space:nowrap;vertical-align:top;border-style:solid;border-color:rgb(238,238,238);border-width:0px 1px 0px 0px"></td><td id="inbox-inbox-LC513" class="inbox-inbox-blob-code inbox-inbox-blob-code-inner inbox-inbox-js-file-line" style="box-sizing:border-box;padding:0px 10px;line-height:20px;vertical-align:top;overflow:visible;font-family:consolas,'liberation mono',menlo,courier,monospace;font-size:12px;word-wrap:normal;white-space:pre">     which forces PFS and requires at least DTLS 1.2.



</td></tr></tbody></table></div></div></div></div>