On 22/02/13 22:09, Matthew Jordan wrote: > On 02/22/2013 10:40 AM, Mitja Kaučič wrote: >> Hello Joshua and Matthew. >> >> I would be happy to contribute with a patch. >> I just need folowing info: >> 1. With witch client can i test the current implementation of DTLS-SRTP on >> asterisk? > They're rather hard to find. > > When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly > exhaustive search looking for clients that (a) supported DTLS-SRTP and > (b) could be pointed at Asterisk. At the time, no clients met both > criteria. Those that did support DTLS-SRTP were working hard on creating > closed networks that did not allow another B2BUA to participate. > > We tested it by pointing two Asterisk instances at each other and > running Wireshark. And starting at a lot of pcaps. > > That situation may have changed. > >> 2. To configure DTLS-SRTP properly is it enough to just set dtlsenable=yes >> do i need dtlsSverify and to set dtls certificats for a basic functionality? > You need a bit more than that. You'll need: > 1) The correct version of OpenSSL that supports DTLS installed and > Asterisk built using it > 2) CA and cert files generated that will be used by the RTP engine > 3) Properly configured endpoints. For a test run of Asterisk <-> > Asterisk, the configuration of one instance of Asterisk looked something > like this: > [snip]
Was any patch contributed, can anybody comment on whether DTLS-SRTP support has been extended to work with Firefox yet? With the Asterisk 11.7 packages on Debian, calls from Mozilla users are rejected with the sha-2 errors (see the errors and my config below) Notice that I even tried with dtlsverify=no and dtlscipher=ALL and it still fails. OpenSSL version is 1.0.1e-2+deb7u3 Users are encountering this problem on the public test site http://www.sip5060.net/test-calls - e.g. http://danielpocock.com/comment/11269#comment-11269 [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog 'j9quvgkcjme7psetsr4q' [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:10487 process_sdp: Rejecting secure audio stream without encryption details: audio 51556 RTP/SAVPF 109 0 8 101 dtlsenable = yes dtlsverify = no ; dtlsrekey = 60 dtlscertfile = /etc/ssl/ssl.crt/wsrelay.sip5060.net.pem dtlsprivatekey = /etc/ssl/private/wsrelay.sip5060.net-key.pem dtlscipher = ALL ; Cipher to use for TLS negotiation ; ; A list of valid SSL cipher strings can be found at: ; ; http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS ; dtlscafile = file ; Path to certificate authority certificate dtlscapath = /etc/ssl/certs dtlssetup = passive -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
