[HELP] DTLS-SRTP with certificate does not work

gfesj · May 13, 2014, 12:41am

Hi, I am try to use WebRTC with DTLS-SRTP to support FireFox browser.

We create the certificates using the script ast_tls_cert from the
/usr/src/asterisk-11.9.0/contrib/scripts
and I have confirmed that the firngerprint from certificate is SHA-1.

We configure the sip.conf to support DTLS-SRTP

[8009]
language=pt_BR
context=default
trustrpid=yes
sendrpid=no
qualify=yes
qualifyfreq=600
type=friend                            ; we only want to call out, not be called
regexten=8009
secret=XXXX
encryption=yes
remotesecret=XXXX
defaultuser=8009                     ; Authentication user for outbound proxies
fromuser=8009                        ; Many SIP providers require this!
host=dynamic
avpf=yes
icesupport=yes
directmedia=no
dial=SIP/8009
disallow=all
allow=ulaw
;------------------------------------------------------------------------------
; DTLS-SRTP CONFIGURATION
dtlsenable=yes   
dtlsverify=no     
dtlsrekey=60      
dtlscertfile=/etc/asterisk/keys/asterisk.crt
dtlsprivatekey=/etc/asterisk/keys/asterisk.key
dtlscipher=ALL
dtlscapath=/etc/asterisk/keys/
dtlssetup = actpass

We can connect to the asterisk using WebRTC (http://tryit.jssip.net/), but when we try to make a call, asterisk says that the fingerprint hash is not supported. (SHA-2).

[May 12 16:01:57] WARNING[25794][C-00000012]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog 'f770it9i9s6l1ku8pivt'

Some help?

Thanks

navaismo · May 13, 2014, 12:33pm

Ask to the jssip people how to set sha1 instead sha2 tye error is very clear, asterisk receive the sha2 which is unsupported.

And I’m sure that the jssip guys will tell you that is not their problem so you will need to create a patch for jssip or asterisk.

navaismo · May 13, 2014, 3:11pm

Maybe this thread can help—>https://issues.asterisk.org/jira/browse/ASTERISK-22961

SirLouen · May 28, 2014, 5:43pm

With same config as you i get with jssip (and sipml5)

[May 28 13:40:19] WARNING[23134][C-00000002]: chan_sip.c:10445 process_sdp: Processed DTLS [FALSE]
[May 28 13:40:19] WARNING[23134][C-00000002]: chan_sip.c:10447 process_sdp: Rejecting secure audio stream without encryption details: audio 49760 RTP/SAVPF 111 103 104 0 8 106 105 13 126

I think mine is worse

mixailom · July 15, 2014, 11:44am

Have anyone managed to get this working? It would be great to get some feedback from people who made it to work.

SirLouen · July 15, 2014, 11:55am

You have to patch a lot to make this work. Very unstable now, not recommended for production

Topic		Replies	Views
WebRTC + FireFox issues to solve Asterisk General	2	271	May 11, 2014
DTLS-SRTP WEBRTC support Asterisk Support	4	301	February 12, 2013
WEBRTC chrome v 35 now using DTLS[solved] Asterisk Support	4	268	June 2, 2014
Asterisk WebRTC DTLS-SRTP issue Asterisk Support	3	925	June 2, 2015
DTLS / SRTP Certicate error Asterisk Support	0	334	July 21, 2014

[HELP] DTLS-SRTP with certificate does not work

Related topics