DTLS failure occurred on RTP instance due to reason 'sslv3 alert handshake failure'

I have asterisk 13.2 installed in ubuntu 14.04. I was success in register and setup call from my browser and i can hear the audio. But now call gets disconnected when audio start playing after call connected when i updated my browser to chrome version 54. I tired with firefox, it works fine.

This is the error i get

[2016-08-29 11:27:58] ERROR[32682][C-00000003]: res_rtp_asterisk.c:2042 __rtp_recvfrom: DTLS failure occurred on RTP instance ‘0x7fb7e402e778’ due to reason ‘sslv3 alert handshake failure’, terminating
[2016-08-29 11:27:58] WARNING[32682][C-00000003]: res_rtp_asterisk.c:3911 ast_rtcp_read: RTCP Read error: Unspecified. Hanging up.
[2016-08-29 11:27:58] WARNING[32682][C-00000003]: app_playback.c:493 playback_exec: Playback failed on SIP/6001-00000003 for demo-congrats

I googled this issue and found that it was problem with openssl. So i updated my openssl from 1.0.1f to 1.0.1t referring this link. I also rebuild my asterisk 13.2 referring this link. I am using sipml5 to make browser call.

Can any one please help me to solve this issue.

This is my extension detail
[6001]
host=dynamic
secret=1234
context=from-internal
type=friend
encryption=yes
avpf=yes
force_avp=yes
icesupport=yes
directmedia=no
disallow=all
allow=ulaw,ws
dtlsenable=yes
dtlsverify=fingerprint
;dtlsverify=no
dtlscertfile=/etc/asterisk/keys/asterisk.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
nat=yes

generated cert file using below command
sudo ./ast_tls_cert -C pbx.mycompany.com -O “My Super Company” -d /etc/asterisk/keys

You can not use an old version of Asterisk and have it work as the browsers and WebRTC implementations change. You must use the latest version. You also have to ensure you are keeping up to date with the changes that browsers make and how they impact your usage. In this case you’ve probably gotten hit by the change for ECDSA which is not supported by Asterisk 13.2: https://developers.google.com/web/updates/2016/06/webrtc-ecdsa?hl=en and if not that specific one then something else.

Solved this issue by upgrading openssl.
Use below commands to upgrade openssl in Ubuntu 14

echo ‘deb Index of /ubuntu xenial main restricted universe multiverse’ > /etc/apt/sources.list.d/xenial.list
aptitude update
aptitude install -y openssl libssl-dev
rm /etc/apt/sources.list.d/xenial.list
aptitude update

Use below commands to check openssl version

ldd /usr/sbin/asterisk | grep libssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f33ce117000)

strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep 1.0.2
OPENSSL_1.0.2
OPENSSL_1.0.2g
SSLv3 part of OpenSSL 1.0.2g-fips 1 Mar 2016
TLSv1 part of OpenSSL 1.0.2g-fips 1 Mar 2016
DTLSv1 part of OpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL 1.0.2g-fips 1 Mar 2016

openssl version
OpenSSL 1.0.2g-fips 1 Mar 2016

After this delete all existing asterisk keys and recreate again

cd /usr/src/astersik*/contrb/scripts
sudo ./ast_tls_cert -C pbx.mycompany.com -O “My Super Company” -d /etc/asterisk/keys
asterisk -rx “reload”

1 Like