Asterisk 11+SIPML5+Firefox Certificate Issue

[Jay Jideliov]

We have tried to solve this problem for a while now, and extensive research yielded no results, so I decided that my best bet is this post.

While calls work fine in Chrome (with the exception of Hold which crashes Asterisk), they do not work in Firefox.

(We did not use WebRTC2SIP (just the RC Asterisk that incorporates the patch))

Firefox requires the connection to be set via DTLS-SRTP, for which we had to generate certificates via OpenSSL (.pem)

We have used this information to get those certificates:

http://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/

http://codeghar.wordpress.com/2013/04/16/generate-certificate-signing-request-on-linux/

http://codeghar.wordpress.com/2013/04/16/use-private-certificate-authority-to-sign-certificate-signing-request-on-linux/

After they were generated, they were added to the device via the DTLS settings:

dtlsenable = yes

dtlsverify = no

dtlscertfile=/etc/asterisk/keys/softphone.pem

dtlsprivatekey=/etc/asterisk/keys/key.pem

dtlscafile=/etc/asterisk/keys/key.pem

Asterisk did not display any errors, but the call could not be made (SipML would just say Call in Progress and do nothing). 

We have also tried to generate certificates via /usr/local/src/asterisk-11.7.0-rc1/contrib/scripts/ast_tls_cer as per https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

Asterisk would not accept the call ( Specified certificate file '/usr/local/certs/callision.com.crt' for RTP instance '0x7f69a000ea68' could not be used )

I would highly appreciate your help on the matter, as it has been haunting us for the past two months.

[Lorenzo Miniero]

Have you tried asking on the asterisk-dev mailing list? They'll probably know more about this. I do handle Firefox calls on my Asterisk, but I'm using 11.1.2 and I modified it a bit as described in http://web.archiveorange.com/archive/v/UDBiiagteYngbNnTLm7S and I don't know if anything in the DTLS code changed in the meanwhile.

Your problem, though, looks more like an openssl one, as the error you're getting seems caused by a failure in SSL_CTX_use_certificate_file rather than in Asterisk itself. Have you checked the permissions on the certificate files? I'm not sure it's relevant (probably not), but it might be worth a try: the ones I use have a 644 permissions set. That said, you may want to try and look at the error Openssl is throwing. The documentation page for the method I mentioned:

http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

says it adds an error to the stack when it fails, so I guess the usual ERR_get_error/ERR_error_string should give you more information.

Lorenzo

[Jay Jideliov]

Will post to mailing lists shortly.

Did a couple of verifications, here is the output:

root@net-2# openssl s_server -cert crt.server1.pem -key key.key -www

Enter pass phrase for /key.key:

Using default temp DH parameters

Using default temp ECDH parameters

error setting private key

140242107061952:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:

root@net-2:/# openssl req -noout -modulus -in crt.server1.pem

unable to load X509 request

140271636514496:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST

[Jay Jideliov]

I have also generated certificates with the -sha1 option, but am still getting:

[Nov 25 15:05:50] WARNING[5628][C-0000005c]: chan_sip.c:11034 process_sdp_a_dtls: Unsupported fingerprint hash type 'sha-2' received on dialog '38f43a1f-15cd-ad69-c2b3-72c21b9de5fd'

Apparently that is the main issue here - somehow it still does sha-2 instead of sha-1. Any ideas on how to go over sha-1?

On Saturday, November 23, 2013 6:52:42 AM UTC-5, Lorenzo Miniero wrote: