WebRTC: fingerprint in SDP offer

infinite3219 · June 19, 2019, 7:57pm

Hello,

We’re using PJSIP for signaling to setup WebRTC with Asterisk. We’re trying to get Asterisk to add this a=fingerprint option to the SDP offer so that our other endpoint will accept it, however, we are not able to get Asterisk to do that. This is the pjsip.conf (tried adding in sip.conf at same time, but didn’t make difference):

webrtc=yes
media_encryption=dtls
dtls_fingerprint=SHA-256
dtlscertfile=/opt/asterisk/etc/asterisk/keys/mycert.pem

I see code in Asterisk to add it based on the dtls_fingerprint option and media_encryption properties, but I’m not sure why it is not being added.

Any idea why this is happening? We are using Asterisk 15.5.0

This is what the current Asterisk-generated SDP offer looks like:

v=0
o=root 633057307 633057307 IN IP4 127.0.0.1
s=Asterisk PBX 15.5.0
c=IN IP4 127.0.0.1
t=0 0
m=audio 48958 RTP/AVP 0 8 3
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=maxptime:150
a=ice-ufrag:6e5eb33b5ed929ca552f9c17572789c7
a=ice-pwd:2824c0ff0d9b0266640f1e3c582ef5e6
a=candidate:Hc0a8c9c4 1 UDP 2130706431 192.168.201.196 48958 typ host
a=candidate:Hc0a8c9db 1 UDP 2130706431 192.168.201.219 48958 typ host
a=candidate:Hac110001 1 UDP 2130706431 172.17.0.1 48958 typ host
a=candidate:Hc0a8c9c4 2 UDP 2130706430 192.168.201.196 48959 typ host
a=candidate:Hc0a8c9db 2 UDP 2130706430 192.168.201.219 48959 typ host
a=candidate:Hac110001 2 UDP 2130706430 172.17.0.1 48959 typ host
a=rtcp-mux
a=sendrecv

jcolp · June 19, 2019, 8:00pm

What version of OpenSSL is in use? Older versions will not work and won’t build Asterisk with support for DTLS-SRTP.

You should also double check the endpoint in use and provide the actual full configuration for it.

jcolp · June 19, 2019, 8:09pm

I should also add that Asterisk 15.5.0 only receives security fixes. It’s advisable to upgrade to a supported version such as 16.

infinite3219 · June 19, 2019, 9:09pm

Thank you for the response. Asterisk is using OpenSSL 1.0.2g on Ubuntu 16.04. Does this version support DTLS-SRTP?

The other endpoint is Janus (https://janus.conf.meetecho.com/). It’s rejecting the offer made by Asterisk because it is missing the a=fingerprint option for DTLS.

jcolp · June 19, 2019, 9:10pm

And what about the actual configuration? Did you also double check the console output at startup to make sure everything was configured properly? (You can also use pjsip show endpoint to check)

infinite3219 · June 21, 2019, 12:45am

We are using Sipjs (https://sipjs.com/) to communicate with Asterisk. This is the configuration we use in sip.conf for this (previously thought we were using pjsip, but turns out it is sip with sip.conf):

;/etc/asterisk/sip.conf
[general]
udpbindaddr=127.0.0.1:5060
transport=udp,tls,ws,wss
externip=1.2.217.77
nat=force_rport,comedia
videosupport=no
directmedia=no
dtlsenable=yes ; Tell Asterisk to enable DTLS for this peer
webrtc=yes
dtlssetup=actpass ; Tell Asterisk to use actpass SDP parameter when setting up DTLS
rtcp_mux=yes
icesupport=yes
encryption=yes ; Tell Asterisk to use encryption for this peer
media_encryption=dtls
dtlsfingerprint=SHA-256
dtlscertfile=/opt/asterisk/etc/asterisk/keys/mycert.pem
media_encryption=dtls
dtlsenable=yes ; Tell Asterisk to enable DTLS for this peer
dtlsverify=fingerprint ; Tell Asterisk to verify DTLS fingerprint
dtlscertfile=/opt/asterisk/etc/asterisk/keys/asterisk.pem ; Tell Asterisk where your DTLS cert file is
dtlssetup=actpass ; Tell Asterisk to use actpass SDP parameter when setting up DTLS
rtcp_mux=yes ; Tell Asterisk to do RTCP mux
allow=opus

We can’t seem to get any DTLS parameters in the SDP offer.

Does Asterisk 15.5 work with OpenSSL 1.0.2g on Ubuntu 16.04 to support DTLS-SRTP?

Any idea what may be wrong with this configuration?

system · July 21, 2019, 12:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.