Hi Daniel, the "sha-2" error can be easily circumvented, and the dtlsverify=no needs an additional callback in the code to always return a success. Nitesh and I provided some patches here:
https://issues.asterisk.org/jira/browse/ASTERISK-22961 Mine was specifically targeted at getting Firefox to work, but I only tested incoming calls. I didn't test Nitesh's one, but apparently he managed to get it to work as well. Lorenzo 2014/1/24 Daniel Pocock <[email protected]> > On 22/02/13 22:09, Matthew Jordan wrote: > > On 02/22/2013 10:40 AM, Mitja Kaučič wrote: > >> Hello Joshua and Matthew. > >> > >> I would be happy to contribute with a patch. > >> I just need folowing info: > >> 1. With witch client can i test the current implementation of DTLS-SRTP > on asterisk? > > They're rather hard to find. > > > > When Josh wrote DTLS-SRTP support for Asterisk, we did a fairly > > exhaustive search looking for clients that (a) supported DTLS-SRTP and > > (b) could be pointed at Asterisk. At the time, no clients met both > > criteria. Those that did support DTLS-SRTP were working hard on creating > > closed networks that did not allow another B2BUA to participate. > > > > We tested it by pointing two Asterisk instances at each other and > > running Wireshark. And starting at a lot of pcaps. > > > > That situation may have changed. > > > >> 2. To configure DTLS-SRTP properly is it enough to just set > dtlsenable=yes do i need dtlsSverify and to set dtls certificats for a > basic functionality? > > You need a bit more than that. You'll need: > > 1) The correct version of OpenSSL that supports DTLS installed and > > Asterisk built using it > > 2) CA and cert files generated that will be used by the RTP engine > > 3) Properly configured endpoints. For a test run of Asterisk <-> > > Asterisk, the configuration of one instance of Asterisk looked something > > like this: > > [snip] > > Was any patch contributed, can anybody comment on whether DTLS-SRTP > support has been extended to work with Firefox yet? > > With the Asterisk 11.7 packages on Debian, calls from Mozilla users are > rejected with the sha-2 errors (see the errors and my config below) > > Notice that I even tried with dtlsverify=no and dtlscipher=ALL and it > still fails. > > OpenSSL version is 1.0.1e-2+deb7u3 > > Users are encountering this problem on the public test site > http://www.sip5060.net/test-calls - e.g. > http://danielpocock.com/comment/11269#comment-11269 > > > [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:11034 > process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received > on dialog 'j9quvgkcjme7psetsr4q' > [Jan 24 10:13:58] WARNING[3105][C-0000013d]: chan_sip.c:10487 > process_sdp: Rejecting secure audio stream without encryption details: > audio 51556 RTP/SAVPF 109 0 8 101 > > dtlsenable = yes > dtlsverify = no > ; dtlsrekey = 60 > dtlscertfile = /etc/ssl/ssl.crt/wsrelay.sip5060.net.pem > dtlsprivatekey = /etc/ssl/private/wsrelay.sip5060.net-key.pem > dtlscipher = ALL ; Cipher to use for TLS negotiation > ; ; A list of valid SSL cipher > strings can be found at: > ; ; > http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS > ; dtlscafile = file ; Path to certificate authority > certificate > dtlscapath = /etc/ssl/certs > dtlssetup = passive > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-dev mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-dev
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
