Hi,
We are using a list of ciphers for ‘dtls_ciphers’ in our pjsip.conf file for every endpoint along with our ssl certificates.
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Now we are shifting to Realtime PJSIP, we used ‘Alembic’ to generate asterisk schema tables as given by: https://wiki.asterisk.org/wiki/display/AST/Setting+up+PJSIP+Realtime#SettingupPJSIPRealtime-ConfiguringODBC
But the ‘dtls_cipher’ variable in ps_endpoints table has type varchar(200). So it cannot accept more than 200 characters. When I tried to remove few ciphers (any of them) I am getting below error and call got declined.
ERROR[8067][C-00000007]: res_rtp_asterisk.c:2863 __rtp_recvfrom: DTLS failure occurred on RTP instance ‘0x7f770c01a048’ due to reason ‘sslv3 alert handshake failure’, terminating
I am seeing two approaches here:
-
Remove all the ciphers and keep ‘ALL’, let asterisk decide which cipher to use. (I have tested this option)
-
Alter dtls_cipher variable in ps_endpoints table to accept more than 200 chars.
Which will be the right option ? Any suggestion would be highly appreciated.