Mitja Kaučič | 8 Jan 08:21 2013
Picon

Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

I have problem with offer SDP that firefox nightly generates. It writes out the following error on asterisk:

WARNING[25424][C-00000004]: chan_sip.c:10936 process_sdp_a_dtls: Unsupported fingerprint hash
type 'sha-2' received on dialog '2457893540'
SDP:
v=0
o=Mozilla-SIPUA 14911 0 IN IP4 xxx
s=SIP Call
t=0 0
a=ice-ufrag:de2f016f
a=ice-pwd:5f6c1d1e785108256c0e9e94d2a5ee78
a=fingerprint:sha-256 B4:C6:2A:9E:3E:C9:BD:92:13:D3:20:4A:07:B2:BB:9E:27:18:7F:B8:77:70:1D:76:49:A0:40:0F:66:1C:DD:96
m=audio 60273 RTP/SAVPF 109 0 8 101
c=IN IP4 xxx
a=rtpmap:109 opus/48000/2
a=ptime:20
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv

After inspecting the code in  Chan_sip.c, metode "process_sdp_a_dtls", looks like there is only sha-1
supported, but firefox uses sha-256:
if (!strcasecmp(hash, "sha-1"))
{
                dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
} else {
                ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",hash, p->callid);
}
(Continue reading)

Joshua Colp | 8 Jan 13:51 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> I have problem with offer SDP that firefox nightly generates. It writes out the following error on asterisk:
>
> WARNING[25424][C-00000004]: chan_sip.c:10936 process_sdp_a_dtls: Unsupported fingerprint hash
type 'sha-2' received on dialog '2457893540'
> SDP:
> v=0
> o=Mozilla-SIPUA 14911 0 IN IP4 xxx
> s=SIP Call
> t=0 0
> a=ice-ufrag:de2f016f
> a=ice-pwd:5f6c1d1e785108256c0e9e94d2a5ee78
> a=fingerprint:sha-256 B4:C6:2A:9E:3E:C9:BD:92:13:D3:20:4A:07:B2:BB:9E:27:18:7F:B8:77:70:1D:76:49:A0:40:0F:66:1C:DD:96
> m=audio 60273 RTP/SAVPF 109 0 8 101
> c=IN IP4 xxx
> a=rtpmap:109 opus/48000/2
> a=ptime:20
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=sendrecv
>
> After inspecting the code in  Chan_sip.c, metode "process_sdp_a_dtls", looks like there is only sha-1
supported, but firefox uses sha-256:
> if (!strcasecmp(hash, "sha-1"))
> {
>                  dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
> } else {
>                  ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",hash, p->callid);
(Continue reading)

Mitja Kaučič | 8 Jan 14:23 2013
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Hello Joshua,
yes that is the SDP that mozzila generates now. They generate only sha-256 fingerprint but accept all SHS variants
https://bugzilla.mozilla.org/show_bug.cgi?id=825515

Maybe because sha-256 is more secure.

That is the whole SDP mozzila generates, with video and datachanel.
v=0
o=Mozilla-SIPUA 9899 0 IN IP4 0.0.0.0
s=SIP Call
t=0 0
a=ice-ufrag:b3de65be
a=ice-pwd:c5e2abb556e29dd9b0481835a728ae4a
a=fingerprint:sha-256 68:25:70:72:AA:87:63:4B:51:84:43:11:FF:93:67:FF:B6:E6:B8:9D:F6:55:ED:55:98:8B:EE:9B:A6:39:60:B7
m=audio 59608 RTP/SAVPF 109 0 8 101
c=IN IP4 ...
a=rtpmap:109 opus/48000/2
a=ptime:20
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=candidate:0 1 UDP 2111832319 ... 61851 typ host
a=candidate:1 1 UDP 1692467199 ... 59608 typ srflx raddr ... rport 61851
a=candidate:0 2 UDP 2111832318 ... 61852 typ host
a=candidate:1 2 UDP 1692467198 ... 52894 typ srflx raddr ... rport 61852
m=video 55730 RTP/SAVPF 120
c=IN IP4 ....
a=rtpmap:120 VP8/90000
a=sendrecv
(Continue reading)

Joshua Colp | 8 Jan 14:31 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> Hello Joshua, yes that is the SDP that mozzila generates now. They
> generate only sha-256 fingerprint but accept all SHS variants
> https://bugzilla.mozilla.org/show_bug.cgi?id=825515 Maybe because
> sha-256 is more secure.

Once everything gets settled then yes, stuff will be evaluated again and 
SHA-256 fingerprint support may be added.

> Do you plan to come together with mozzila into a agrement for the SDP
> format and WEBRTC implementation or is that something that is not on
> your aggenda? And google implementation is also changing and in flux
> do you want to be interoperable with firefox and mozzila? Because
> that is something we would need, to be done.

There is no coming into agreement with Mozilla or Google. The WebRTC
standard defines what is in use and this is still being worked out. As 
you've stated actual implementations are still continuing to be in flux 
so until it's all settled and decided I've chosen to wait.

Other developers can certainly choose to try to keep up.

--

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org

--
_____________________________________________________________________
(Continue reading)

Matthew Jordan | 15 Feb 22:53 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

On 01/08/2013 07:23 AM, Mitja Kaučič wrote:
> Hello Joshua,
> yes that is the SDP that mozzila generates now. They generate only sha-256 fingerprint but accept all SHS variants
> https://bugzilla.mozilla.org/show_bug.cgi?id=825515
> Maybe because sha-256 is more secure.
> 

<snip>

> Do you plan to come together with mozzila into a agrement for the SDP format and WEBRTC implementation or is
that something that is not on your aggenda? And google implementation is also changing and in flux do you
want to be interoperable with firefox and mozzila?
> Because that is something we would need, to be done.
> 

One comment here.

Asterisk is an open source project. Anyone can write a patch and ask
that it be included in the project; this includes adding support for
WebRTC features that they may need. While we certainly plan on making
Asterisk interoperate with the major browsers - once they stabilize so
that we don't chase a moving target - it is hugely appreciated when
interested parties contribute more than just requests for functionality.

We're here to help assist with people who decide to work on Asterisk
development, so if you absolutely *need* functionality in Asterisk that
isn't there, patches are a great start.

--

-- 
Matthew Jordan
(Continue reading)

Mitja Kaučič | 22 Feb 17:40 2013
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Hello Joshua and Matthew.

I would be happy to contribute with a patch.
I just need folowing info:
1. With witch client can i test the current implementation of DTLS-SRTP on asterisk?

2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes do i need dtlsSverify and to set
dtls certificats for a basic functionality?

That is all. I need a working client so that i can start with a working example and  then work toward getting it
work on firefox.

Regars M

-----Original Message-----
From: asterisk-dev-bounces <at> lists.digium.com [mailto:asterisk-dev-bounces <at> lists.digium.com] On
Behalf Of Matthew Jordan
Sent: Friday, February 15, 2013 10:53 PM
To: asterisk-dev <at> lists.digium.com
Subject: Re: [asterisk-dev] Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

On 01/08/2013 07:23 AM, Mitja Kaučič wrote:
> Hello Joshua,
> yes that is the SDP that mozzila generates now. They generate only sha-256 fingerprint but accept all SHS variants
> https://bugzilla.mozilla.org/show_bug.cgi?id=825515

> Maybe because sha-256 is more secure.
>

<snip>

(Continue reading)

Matthew Jordan | 22 Feb 22:09 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

On 02/22/2013 10:40 AM, Mitja Kaučič wrote:
> Hello Joshua and Matthew.
> 
> I would be happy to contribute with a patch.
> I just need folowing info:
> 1. With witch client can i test the current implementation of DTLS-SRTP on asterisk?

They're rather hard to find.

When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly
exhaustive search looking for clients that (a) supported DTLS-SRTP and
(b) could be pointed at Asterisk. At the time, no clients met both
criteria. Those that did support DTLS-SRTP were working hard on creating
closed networks that did not allow another B2BUA to participate.

We tested it by pointing two Asterisk instances at each other and
running Wireshark. And starting at a lot of pcaps.

That situation may have changed.

> 2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes do i need dtlsSverify and to set
dtls certificats for a basic functionality?

You need a bit more than that. You'll need:
1) The correct version of OpenSSL that supports DTLS installed and
Asterisk built using it
2) CA and cert files generated that will be used by the RTP engine
3) Properly configured endpoints. For a test run of Asterisk <->
Asterisk, the configuration of one instance of Asterisk looked something
like this:
(Continue reading)

Daniel Pocock | 24 Jan 10:28 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

On 22/02/13 22:09, Matthew Jordan wrote:
> On 02/22/2013 10:40 AM, Mitja Kaučič wrote:
>> Hello Joshua and Matthew.
>>
>> I would be happy to contribute with a patch.
>> I just need folowing info:
>> 1. With witch client can i test the current implementation of DTLS-SRTP on asterisk?
> They're rather hard to find.
>
> When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly
> exhaustive search looking for clients that (a) supported DTLS-SRTP and
> (b) could be pointed at Asterisk. At the time, no clients met both
> criteria. Those that did support DTLS-SRTP were working hard on creating
> closed networks that did not allow another B2BUA to participate.
>
> We tested it by pointing two Asterisk instances at each other and
> running Wireshark. And starting at a lot of pcaps.
>
> That situation may have changed.
>
>> 2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes do i need dtlsSverify and to
set dtls certificats for a basic functionality?
> You need a bit more than that. You'll need:
> 1) The correct version of OpenSSL that supports DTLS installed and
> Asterisk built using it
> 2) CA and cert files generated that will be used by the RTP engine
> 3) Properly configured endpoints. For a test run of Asterisk <->
> Asterisk, the configuration of one instance of Asterisk looked something
> like this:
> [snip]
(Continue reading)

Lorenzo Miniero | 24 Jan 10:59 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.

Lorenzo


2014/1/24 Daniel Pocock <daniel <at> pocock.com.au>
On 22/02/13 22:09, Matthew Jordan wrote:
> On 02/22/2013 10:40 AM, Mitja Kaučič wrote:
>> Hello Joshua and Matthew.
>>
>> I would be happy to contribute with a patch.
>> I just need folowing info:
>> 1. With witch client can i test the current implementation of DTLS-SRTP on asterisk?
> They're rather hard to find.
>
> When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly
> exhaustive search looking for clients that (a) supported DTLS-SRTP and
> (b) could be pointed at Asterisk. At the time, no clients met both
> criteria. Those that did support DTLS-SRTP were working hard on creating
> closed networks that did not allow another B2BUA to participate.
>
> We tested it by pointing two Asterisk instances at each other and
> running Wireshark. And starting at a lot of pcaps.
>
> That situation may have changed.
>
>> 2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes do i need dtlsSverify and to set dtls certificats for a basic functionality?
> You need a bit more than that. You'll need:
> 1) The correct version of OpenSSL that supports DTLS installed and
> Asterisk built using it
> 2) CA and cert files generated that will be used by the RTP engine
> 3) Properly configured endpoints. For a test run of Asterisk <->
> Asterisk, the configuration of one instance of Asterisk looked something
> like this:
> [snip]

Was any patch contributed, can anybody comment on whether DTLS-SRTP
support has been extended to work with Firefox yet?

With the Asterisk 11.7 packages on Debian, calls from Mozilla users are
rejected with the sha-2 errors (see the errors and my config below)

Notice that I even tried with dtlsverify=no and dtlscipher=ALL and it
still fails.

OpenSSL version is 1.0.1e-2+deb7u3

Users are encountering this problem on the public test site
http://www.sip5060.net/test-calls - e.g.
http://danielpocock.com/comment/11269#comment-11269


[Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:11034
process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received
on dialog 'j9quvgkcjme7psetsr4q'
[Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:10487
process_sdp: Rejecting secure audio stream without encryption details:
audio 51556 RTP/SAVPF 109 0 8 101

dtlsenable = yes
dtlsverify = no
; dtlsrekey = 60
dtlscertfile = /etc/ssl/ssl.crt/wsrelay.sip5060.net.pem
dtlsprivatekey = /etc/ssl/private/wsrelay.sip5060.net-key.pem
dtlscipher = ALL  ; Cipher to use for TLS negotiation
;                                    ; A list of valid SSL cipher
strings can be found at:
;                                    ;
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
; dtlscafile = file                  ; Path to certificate authority
certificate
dtlscapath = /etc/ssl/certs
dtlssetup = passive



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Daniel Pocock | 24 Jan 16:22 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

On 24/01/14 10:59, Lorenzo Miniero wrote:
Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.


Thanks for this, I've tested with it

Two things were necessary for success with Firefox:
a) I applied Nitish's patch to the latest 11.7 from Debian (it is on a branch dtls-srtp-patch), it builds on wheezy and appears to work
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=shortlog;h=refs/heads/dtls-srtp-patch
Anybody wanting to test can clone from there and then
  dpkg-buildpackage -rfakeroot -i.git
to build packages with the change.  This has not been uploaded in any official packages, I let the package maintainers decide if they want to support the patch.

b) I had to work around the issue with the media descriptor protocol sub-field.  In JSCommunicator (using the branch "develop" from JsSIP), I look at the field in the outgoing and incoming INVITE and change it to/from the Asterisk format:
https://github.com/opentelecoms-org/jscommunicator/commit/6980f8e1c3311c46154b3840d695f0ddc9c8c8ae

It can now be tested with the links at http://www.sip5060.net/test-calls and/or from http://www.lumicall.org/drucall - both now appear to work from Firefox and it appears to maintain compatibility for calls between JSCommunicator users.

However, I'd like to understand if I really should have the patch/hack in JSCommunicator at all - should Asterisk be willing to accept SDP specifying "RTP/SAVPF" alone?  If so, then I can cut out half the JSCommunicator patch.




--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Nitesh Bansal | 27 Jan 16:17 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Hello everyone,

Contining on the DTLS-SRTP, i need asterisk to be able to retry DTLS handshake in case there is no response from the peer for the first attempted handshake.
This is happening in case i use the media-proxy with asterisk, media-proxy is sending DTLS data before completing the ICE handshake, so DTLS messages are being
sent to an ICE candidate which is different from final selected ice candidate. In this case, i would like asterisk to attempt the DTLS handshake after a specific timeout?
Any pointers on how this can be done ( i can think of scheduling a timer) ?
P.S: With media-proxy, asterisk sees the de-iced SDP, media-proxy is handling the ICE handshake on its own.

Regards,
Nitesh Bansal



On Fri, Jan 24, 2014 at 4:22 PM, Daniel Pocock <daniel <at> pocock.com.au> wrote:
On 24/01/14 10:59, Lorenzo Miniero wrote:
Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.


Thanks for this, I've tested with it

Two things were necessary for success with Firefox:
a) I applied Nitish's patch to the latest 11.7 from Debian (it is on a branch dtls-srtp-patch), it builds on wheezy and appears to work
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=shortlog;h=refs/heads/dtls-srtp-patch
Anybody wanting to test can clone from there and then
  dpkg-buildpackage -rfakeroot -i.git
to build packages with the change.  This has not been uploaded in any official packages, I let the package maintainers decide if they want to support the patch.

b) I had to work around the issue with the media descriptor protocol sub-field.  In JSCommunicator (using the branch "develop" from JsSIP), I look at the field in the outgoing and incoming INVITE and change it to/from the Asterisk format:
https://github.com/opentelecoms-org/jscommunicator/commit/6980f8e1c3311c46154b3840d695f0ddc9c8c8ae

It can now be tested with the links at http://www.sip5060.net/test-calls and/or from http://www.lumicall.org/drucall - both now appear to work from Firefox and it appears to maintain compatibility for calls between JSCommunicator users.

However, I'd like to understand if I really should have the patch/hack in JSCommunicator at all - should Asterisk be willing to accept SDP specifying "RTP/SAVPF" alone?  If so, then I can cut out half the JSCommunicator patch.





--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Nitesh Bansal | 28 Jan 17:40 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

I have another question on the same, even if use the media-proxy or not, i assume that DTLS message retransmissions need to be handled.
I would like some pointers on how can we handle retransmissions in asterisk.
P.S: I am not an expert on openssl library, so don't know much about how it functions internally.

Regards,
Nitesh


On Mon, Jan 27, 2014 at 4:17 PM, Nitesh Bansal <nitesh.bansal <at> gmail.com> wrote:
Hello everyone,

Contining on the DTLS-SRTP, i need asterisk to be able to retry DTLS handshake in case there is no response from the peer for the first attempted handshake.
This is happening in case i use the media-proxy with asterisk, media-proxy is sending DTLS data before completing the ICE handshake, so DTLS messages are being
sent to an ICE candidate which is different from final selected ice candidate. In this case, i would like asterisk to attempt the DTLS handshake after a specific timeout?
Any pointers on how this can be done ( i can think of scheduling a timer) ?
P.S: With media-proxy, asterisk sees the de-iced SDP, media-proxy is handling the ICE handshake on its own.

Regards,
Nitesh Bansal



On Fri, Jan 24, 2014 at 4:22 PM, Daniel Pocock <daniel <at> pocock.com.au> wrote:
On 24/01/14 10:59, Lorenzo Miniero wrote:
Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.


Thanks for this, I've tested with it

Two things were necessary for success with Firefox:
a) I applied Nitish's patch to the latest 11.7 from Debian (it is on a branch dtls-srtp-patch), it builds on wheezy and appears to work
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=shortlog;h=refs/heads/dtls-srtp-patch
Anybody wanting to test can clone from there and then
  dpkg-buildpackage -rfakeroot -i.git
to build packages with the change.  This has not been uploaded in any official packages, I let the package maintainers decide if they want to support the patch.

b) I had to work around the issue with the media descriptor protocol sub-field.  In JSCommunicator (using the branch "develop" from JsSIP), I look at the field in the outgoing and incoming INVITE and change it to/from the Asterisk format:
https://github.com/opentelecoms-org/jscommunicator/commit/6980f8e1c3311c46154b3840d695f0ddc9c8c8ae

It can now be tested with the links at http://www.sip5060.net/test-calls and/or from http://www.lumicall.org/drucall - both now appear to work from Firefox and it appears to maintain compatibility for calls between JSCommunicator users.

However, I'd like to understand if I really should have the patch/hack in JSCommunicator at all - should Asterisk be willing to accept SDP specifying "RTP/SAVPF" alone?  If so, then I can cut out half the JSCommunicator patch.





--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev


--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Lorenzo Miniero | 28 Jan 20:06 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Hi Nitesh,

openssl normally handles retransmissions by itself, but considering that in Asterisk the network is handled by pjnath, this needs to be taken care of manually. You can find some details about how this can be done here:


I describe the (very simple and rough) approach I used in one of my implementations there, while Rajarshi added some definitely useful details on how to implement retransmissions the right way. Any of them might be added to Asterisk in order to retransmit lost packets.

Lorenzo




2014-01-28 Nitesh Bansal <nitesh.bansal <at> gmail.com>
I have another question on the same, even if use the media-proxy or not, i assume that DTLS message retransmissions need to be handled.
I would like some pointers on how can we handle retransmissions in asterisk.
P.S: I am not an expert on openssl library, so don't know much about how it functions internally.

Regards,
Nitesh


On Mon, Jan 27, 2014 at 4:17 PM, Nitesh Bansal <nitesh.bansal <at> gmail.com> wrote:
Hello everyone,

Contining on the DTLS-SRTP, i need asterisk to be able to retry DTLS handshake in case there is no response from the peer for the first attempted handshake.
This is happening in case i use the media-proxy with asterisk, media-proxy is sending DTLS data before completing the ICE handshake, so DTLS messages are being
sent to an ICE candidate which is different from final selected ice candidate. In this case, i would like asterisk to attempt the DTLS handshake after a specific timeout?
Any pointers on how this can be done ( i can think of scheduling a timer) ?
P.S: With media-proxy, asterisk sees the de-iced SDP, media-proxy is handling the ICE handshake on its own.

Regards,
Nitesh Bansal



On Fri, Jan 24, 2014 at 4:22 PM, Daniel Pocock <daniel <at> pocock.com.au> wrote:
On 24/01/14 10:59, Lorenzo Miniero wrote:
Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.


Thanks for this, I've tested with it

Two things were necessary for success with Firefox:
a) I applied Nitish's patch to the latest 11.7 from Debian (it is on a branch dtls-srtp-patch), it builds on wheezy and appears to work
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=shortlog;h=refs/heads/dtls-srtp-patch
Anybody wanting to test can clone from there and then
  dpkg-buildpackage -rfakeroot -i.git
to build packages with the change.  This has not been uploaded in any official packages, I let the package maintainers decide if they want to support the patch.

b) I had to work around the issue with the media descriptor protocol sub-field.  In JSCommunicator (using the branch "develop" from JsSIP), I look at the field in the outgoing and incoming INVITE and change it to/from the Asterisk format:
https://github.com/opentelecoms-org/jscommunicator/commit/6980f8e1c3311c46154b3840d695f0ddc9c8c8ae

It can now be tested with the links at http://www.sip5060.net/test-calls and/or from http://www.lumicall.org/drucall - both now appear to work from Firefox and it appears to maintain compatibility for calls between JSCommunicator users.

However, I'd like to understand if I really should have the patch/hack in JSCommunicator at all - should Asterisk be willing to accept SDP specifying "RTP/SAVPF" alone?  If so, then I can cut out half the JSCommunicator patch.





--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Nitesh Bansal | 29 Jan 09:59 2014
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Thanks Lorenzo, i would look into it and see how it can be added in Asterisk.
If it works fine, i would submit  another patch.

Regards,
Nitesh



On Tue, Jan 28, 2014 at 8:06 PM, Lorenzo Miniero <lminiero <at> gmail.com> wrote:
Hi Nitesh,

openssl normally handles retransmissions by itself, but considering that in Asterisk the network is handled by pjnath, this needs to be taken care of manually. You can find some details about how this can be done here:


I describe the (very simple and rough) approach I used in one of my implementations there, while Rajarshi added some definitely useful details on how to implement retransmissions the right way. Any of them might be added to Asterisk in order to retransmit lost packets.

Lorenzo




2014-01-28 Nitesh Bansal <nitesh.bansal <at> gmail.com>

I have another question on the same, even if use the media-proxy or not, i assume that DTLS message retransmissions need to be handled.
I would like some pointers on how can we handle retransmissions in asterisk.
P.S: I am not an expert on openssl library, so don't know much about how it functions internally.

Regards,
Nitesh


On Mon, Jan 27, 2014 at 4:17 PM, Nitesh Bansal <nitesh.bansal <at> gmail.com> wrote:
Hello everyone,

Contining on the DTLS-SRTP, i need asterisk to be able to retry DTLS handshake in case there is no response from the peer for the first attempted handshake.
This is happening in case i use the media-proxy with asterisk, media-proxy is sending DTLS data before completing the ICE handshake, so DTLS messages are being
sent to an ICE candidate which is different from final selected ice candidate. In this case, i would like asterisk to attempt the DTLS handshake after a specific timeout?
Any pointers on how this can be done ( i can think of scheduling a timer) ?
P.S: With media-proxy, asterisk sees the de-iced SDP, media-proxy is handling the ICE handshake on its own.

Regards,
Nitesh Bansal



On Fri, Jan 24, 2014 at 4:22 PM, Daniel Pocock <daniel <at> pocock.com.au> wrote:
On 24/01/14 10:59, Lorenzo Miniero wrote:
Hi Daniel,

the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:


Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well.


Thanks for this, I've tested with it

Two things were necessary for success with Firefox:
a) I applied Nitish's patch to the latest 11.7 from Debian (it is on a branch dtls-srtp-patch), it builds on wheezy and appears to work
http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git;a=shortlog;h=refs/heads/dtls-srtp-patch
Anybody wanting to test can clone from there and then
  dpkg-buildpackage -rfakeroot -i.git
to build packages with the change.  This has not been uploaded in any official packages, I let the package maintainers decide if they want to support the patch.

b) I had to work around the issue with the media descriptor protocol sub-field.  In JSCommunicator (using the branch "develop" from JsSIP), I look at the field in the outgoing and incoming INVITE and change it to/from the Asterisk format:
https://github.com/opentelecoms-org/jscommunicator/commit/6980f8e1c3311c46154b3840d695f0ddc9c8c8ae

It can now be tested with the links at http://www.sip5060.net/test-calls and/or from http://www.lumicall.org/drucall - both now appear to work from Firefox and it appears to maintain compatibility for calls between JSCommunicator users.

However, I'd like to understand if I really should have the patch/hack in JSCommunicator at all - should Asterisk be willing to accept SDP specifying "RTP/SAVPF" alone?  If so, then I can cut out half the JSCommunicator patch.





--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

--

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Mitja Kaučič | 9 Jan 11:50 2013
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

I understand. But how can then the config setting dtlscipher work.
In default config there is stated:
dtlscipher = <SSL cipher string>   ; Cipher to use for TLS negotiation;                                    ; A list of valid SSL cipher strings can
be found at:                                     http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

in the list SHA256 is also listed.

But in the  Chan_sip.c code methode "process_sdp_a_dtls" only "sha-1" is supported on reading the SDP,
there could be issue coming from this. In the end there will be diffrend types of fingerprint for sure,
gogole talks something about SHA-224. There shuld be more/all encryptions supported.

Regards M


-----Original Message-----
From: asterisk-dev-bounces <at> lists.digium.com [mailto:asterisk-dev-bounces <at> lists.digium.com] On
Behalf Of Joshua Colp
Sent: Tuesday, January 08, 2013 1:52 PM
To: Asterisk Developers Mailing List
Subject: Re: [asterisk-dev] Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> I have problem with offer SDP that firefox nightly generates. It writes out the following error on asterisk:
>
> WARNING[25424][C-00000004]: chan_sip.c:10936 process_sdp_a_dtls: Unsupported fingerprint hash
type 'sha-2' received on dialog '2457893540'
> SDP:
> v=0
> o=Mozilla-SIPUA 14911 0 IN IP4 xxx
> s=SIP Call
> t=0 0
> a=ice-ufrag:de2f016f
> a=ice-pwd:5f6c1d1e785108256c0e9e94d2a5ee78
> a=fingerprint:sha-256 B4:C6:2A:9E:3E:C9:BD:92:13:D3:20:4A:07:B2:BB:9E:27:18:7F:B8:77:70:1D:76:49:A0:40:0F:66:1C:DD:96
> m=audio 60273 RTP/SAVPF 109 0 8 101
> c=IN IP4 xxx
> a=rtpmap:109 opus/48000/2
> a=ptime:20
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=sendrecv
>
> After inspecting the code in  Chan_sip.c, metode "process_sdp_a_dtls", looks like there is only sha-1
supported, but firefox uses sha-256:
> if (!strcasecmp(hash, "sha-1"))
> {
>                  dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
> } else {
>                  ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",hash, p->callid);
> }
>
> Is there a support for sha-256 in asterisk and is there a plan to be supported and when?

There's no current issue for doing this, so no plan to. The SDP above is
also weird... the fingerprint is used for DTLS-SRTP but the SDP doesn't
show DTLS-SRTP.

--
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev


Posredovani dokument je namenjen izključno prejemniku (ali osebi, odgovorni za prenos tega sporočila
prejemniku) ter osebam, ki so upravičene poznati v dokumentu vsebovane podatke na podlagi svojih
pristojnosti. Posredovani dokument je dovoljeno uporabljati le za med pošiljateljem in prejemnikom
dogovorjeni namen. Drugačno posredovanje, razmnoževanje oziroma uporaba dokumenta ni dovoljena.
Dokument so vsi podatki v kakršnikoli obliki, ki jih vsebuje ta elektronska pošta. Če ste prejeli to
sporočilo zaradi napake v naslovu ali pri prenosu sporočila, prosimo, da o tem obvestite
pošiljatelja elektronskega sporočila.

Privileged/confidential information may be contained in this message. This communication is
confidential and intended solely for the addressee(s). Unauthorized distribution, modification or
disclosure of the contents may be unlawful. If you receive this in error, please notify the sender and
delete it from your system.  If you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this message to anyone.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Joshua Colp | 9 Jan 13:28 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> I understand. But how can then the config setting dtlscipher work. In
> default config there is stated: dtlscipher =<SSL cipher string>    ;
> Cipher to use for TLS negotiation;
> ; A list of valid SSL cipher strings can be found at:
> http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS in the
> list SHA256 is also listed.

That's because we use OpenSSL for DTLS support. Whatever your OpenSSL is 
built with is supported.

> But in the  Chan_sip.c code methode "process_sdp_a_dtls" only "sha-1"
> is supported on reading the SDP, there could be issue coming from
> this. In the end there will be diffrend types of fingerprint for
> sure, gogole talks something about SHA-224. There shuld be more/all
> encryptions supported.

Sure. Like I've said once stuff stabilizes then it can be revisited. 
Just a clarification though - the fingerprint isn't used for encryption. 
It's for verification purposes.

--

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Mitja Kaučič | 15 Feb 21:49 2013
Picon

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Thank you for all the answers!
So if i understand  correctly there is a possibility that a call from mozzila nightly will work if you build
the asterisk with the OpenSSL library that is supporting SHA256. Or do i need to change the code inside
Chan_sip.c where the verification is going on?

I think it is clear now that mozzila will only support DTLS-SRTP for encryption. Gogole and mozzila achived
"interoperability" with DTLS so google is also supporting DTLS:
More on that:
http://www.webrtc.org/interop

Do you plan something in that regards? It would be great that asterisk would continue to be in the forefront
in WEBRTC development.

Thank you and regards Mitja


-----Original Message-----
From: asterisk-dev-bounces <at> lists.digium.com [mailto:asterisk-dev-bounces <at> lists.digium.com] On
Behalf Of Joshua Colp
Sent: Wednesday, January 09, 2013 1:28 PM
To: Asterisk Developers Mailing List
Subject: Re: [asterisk-dev] Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> I understand. But how can then the config setting dtlscipher work. In
> default config there is stated: dtlscipher =<SSL cipher string>    ;
> Cipher to use for TLS negotiation;
> ; A list of valid SSL cipher strings can be found at:
> http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS in the
> list SHA256 is also listed.

That's because we use OpenSSL for DTLS support. Whatever your OpenSSL is
built with is supported.

> But in the  Chan_sip.c code methode "process_sdp_a_dtls" only "sha-1"
> is supported on reading the SDP, there could be issue coming from
> this. In the end there will be diffrend types of fingerprint for
> sure, gogole talks something about SHA-224. There shuld be more/all
> encryptions supported.

Sure. Like I've said once stuff stabilizes then it can be revisited.
Just a clarification though - the fingerprint isn't used for encryption.
It's for verification purposes.

--
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev


Posredovani dokument je namenjen izključno prejemniku (ali osebi, odgovorni za prenos tega sporočila
prejemniku) ter osebam, ki so upravičene poznati v dokumentu vsebovane podatke na podlagi svojih
pristojnosti. Posredovani dokument je dovoljeno uporabljati le za med pošiljateljem in prejemnikom
dogovorjeni namen. Drugačno posredovanje, razmnoževanje oziroma uporaba dokumenta ni dovoljena.
Dokument so vsi podatki v kakršnikoli obliki, ki jih vsebuje ta elektronska pošta. Če ste prejeli to
sporočilo zaradi napake v naslovu ali pri prenosu sporočila, prosimo, da o tem obvestite
pošiljatelja elektronskega sporočila.

Privileged/confidential information may be contained in this message. This communication is
confidential and intended solely for the addressee(s). Unauthorized distribution, modification or
disclosure of the contents may be unlawful. If you receive this in error, please notify the sender and
delete it from your system.  If you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this message to anyone.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev
Joshua Colp | 15 Feb 21:51 2013

Re: Asterisk 11; WEBRTC firefox nightly build fingeprint sha-256

Mitja Kaučič wrote:
> Thank you for all the answers! So if i understand  correctly there is
> a possibility that a call from mozzila nightly will work if you build
> the asterisk with the OpenSSL library that is supporting SHA256. Or
> do i need to change the code inside Chan_sip.c where the verification
> is going on?

The code does not presently support SHA256, it has to be explicitly added.

--

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Gmane