DTLS failure occurred due to 'sslv3 alert handshake failure


#1

Hi,

We are using a list of ciphers for ‘dtls_ciphers’ in our pjsip.conf file for every endpoint along with our ssl certificates.

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Now we are shifting to Realtime PJSIP, we used ‘Alembic’ to generate asterisk schema tables as given by: https://wiki.asterisk.org/wiki/display/AST/Setting+up+PJSIP+Realtime#SettingupPJSIPRealtime-ConfiguringODBC

But the ‘dtls_cipher’ variable in ps_endpoints table has type varchar(200). So it cannot accept more than 200 characters. When I tried to remove few ciphers (any of them) I am getting below error and call got declined.

ERROR[8067][C-00000007]: res_rtp_asterisk.c:2863 __rtp_recvfrom: DTLS failure occurred on RTP instance ‘0x7f770c01a048’ due to reason ‘sslv3 alert handshake failure’, terminating

I am seeing two approaches here:

  1. Remove all the ciphers and keep ‘ALL’, let asterisk decide which cipher to use. (I have tested this option)

  2. Alter dtls_cipher variable in ps_endpoints table to accept more than 200 chars.

Which will be the right option ? Any suggestion would be highly appreciated.