iDoubs and TLS - how exactly?

[user1087]

Hi, can someone who has successfully enabled TLS for iDoubs please help? I am trying to get a webrtc session working from iDoubs using DTLS.

Here is what I've done so far reading instructions in this forum:

1) Compiled ios-ngn-stack with  -DHAVE_OPENSSL=1 and -DHAVE_SRTP=1

2) iDoubs log says 

SSL is enabled :)
DTLS supported: yes
DTLS-SRTP supported: yes

3) Next, I read  https://groups.google.com/forum/#!topic/doubango/asAfP5ZCgdI and created my self signed certificates using open-ssl

4) copied the generated key.ca.cg.pem (renamed to private.pem), csr.server1.pem (renamed to public.pem) and the root cert crt.ca.cg.pem (renamed rootcert.pem) to the iDoubs project 

5) In didFinishLaunchingWithOptions of idoubs2Appdelegate.mm, add this code after [[NgnEngine sharedInstance] start];

NSString * path3 = [[NSBundle mainBundle] pathForResource:  @"rootcert" ofType: @"pem"];
    NSString * path2 = [[NSBundle mainBundle] pathForResource:  @"private" ofType: @"pem"];
    NSString * path1 = [[NSBundle mainBundle] pathForResource:  @"public" ofType: @"pem"];
    // NSLog(@"%@", path);
    
    
    [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_PUB andValue:path1];
    [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_PRIV andValue:path2];
    [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_CA andValue:path3];

6) In iDoubs configuration UI, enabled TLS

6) Ran iDoubs, the log error I am getting is

***ERROR: function: "tnet_transport_tls_set_certs()" 
file: "/Users/arjun/projects/mydoubs/doubango/branches/2.0/doubango/tinyNET/src/tnet_transport.c" 
line: "250" 
MSG: SSL_CTX_use_certificate_file failed [0,error:0906D06C:PEM routines:PEM_read_bio:no start line] 

Any guidance would be appreciated

 

[user1087]

PS: I know there are more steps to get a DTLS RTCWeb session going on, but I am right now just trying to solve the TLS cert issue as step 1

[Mamadou]

Enabling DTLS on iOS is easy. You're error means your certificates are not valid or you are swapping them (e.g using public key as CA).

DTLS-SRTP requires only a public key (server certificate), try to set this value only and ignore other certs as they are probably invalid or malformed. You must also enable DTLS-SRTP: https://code.google.com/p/doubango/source/browse/branches/2.0/doubango/bindings/_common/MediaSessionMgr.cxx#460 (set SRTP mode to mandatory), https://code.google.com/p/doubango/source/browse/branches/2.0/doubango/bindings/_common/MediaSessionMgr.cxx#467 (set SRTP type de DTLS).

Please always share logs when reporting an issue.

[user1087]

Thanks. I did as you suggested, but the problem persists.

In iDoubsAppDelegate, I added this code just before NGNEngine start:

MediaSessionMgr::defaultsSetSRtpType(tmedia_srtp_type_dtls); 
MediaSessionMgr::defaultsSetSRtpMode(tmedia_srtp_mode_mandatory); 
NSString * rootcert = [[NSBundle mainBundle] pathForResource:  @"cacert" ofType: @"pem"];
  [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_CA andValue:rootcert];
// start the engine
[[NgnEngine sharedInstance] start];

I still get 

MSG: SSL_CTX_use_certificate_file failed [0,error:0906D06C:PEM routines:PEM_read_bio:no start line] 

The detailed logs and rootcert.pem files are attached

 

[Mamadou DIOP]

If you read my response again you'll see that I haven't said what you're doing. I asked to set the *public key* not the CA.

--
You received this message because you are subscribed to the Google Groups "discuss-doubango" group.
To unsubscribe from this group and stop receiving emails from it, send an email to doubango+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
<detailedlogs.txt><cacert.pem>

[user1087]

Okay, here goes again - as complete as I can report (let me know if you need anything else). 

(Detailed XCode logs and public.pem attached)

Environment: Xcode 5, iphone 5S, iOS 7.0

Checked out latest iDoubs project this morning as per https://code.google.com/p/idoubs/wiki/Building_iDoubs_v2_x

Changed architecture to v7 and iOS 7 (v7s causes issues in compilation). Also changed NgnPublicSession.mm line 145 to [UIDevice currentDevice].identifierForVendor (existing code had uniqueIdentifier which is deprecated and does not compile)

1) Generating public key

———————————————————

a) openssl genrsa -out privkey.pem 1024

b) openssl rsa -in privkey.pem -pubout > public.pem

c) Imported public.pem into iDoubs Xcode project

2) Configuring iDoubs to use TLS & DTLS & RTCWeb

————————————————————

a) Installed iDoubs

b) Went to Settings->Network, changed Transport to TLS

c) In Network->Security, changed SRTP Mode to Mandatory (this may be redundant as I change it in code later)

d) Network->Security, Enabled ICE, STUN, Discover

e) In Settings->Media changed Profile to RTCWeb

3) Code Modifications to iDoubs

————————————————

a) In file idoubs2AppDelegate.mm

Inside - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 

I added the following code below (before [[NgnEngine sharedInstance] start];)

MediaSessionMgr::defaultsSetSRtpType(tmedia_srtp_type_dtls);     MediaSessionMgr::defaultsSetSRtpMode(tmedia_srtp_mode_mandatory); 

NSString * pubkey = [[NSBundle mainBundle] pathForResource:  @"public" ofType: @"pem"];

[[NgnEngine sharedInstance].configurationService

     setStringWithKey:SECURITY_SSL_FILE_KEY_PUB andValue:pubkey];

Now the issues I am facing:

a) I set up breakpoints at NgnSipStack.mm:setSSLCertificates (264)

It seems this is picking up different values from what I specified above. It seems NgnSipService.mm:1140 is extracting the values. The values it extracts have privkey.pem (in addition to a file path), pubkey.pem (in addition to file path) and cakey (NULL)

Where is iDoubs picking up these values from and why is it not using my value in step 3 above (public.pem)?

When I run the app using this setting, I get the following in my log file

***ERROR: function: "tnet_transport_tls_set_certs()" 

file: "/Users/user002/projects/mydoubs/doubango/branches/2.0/doubango/tinyNET/src/tnet_transport.c" 

line: "250" 

MSG: SSL_CTX_use_certificate_file failed [0,error:0906D06C:PEM routines:PEM_read_bio:no start line]

Now, I tried overriding these values inside setSSLCertificates function - that brings up other problems which I can cover later.

For now, please advise on the following:

a) Do you see any issues with what I am doing?

b) Where is iDoubs picking up the private key settings and public key settings from? I did not specify and private key and the private key I am specifying in AppDelegate seems to be ignored

c) In addition to specifying private key, do I need to also specify the certificate and private key as empty  in Appdelegate? (FYI, I tried that too, and any settings I set in AppDelegate seem to be ignored by iDoubs. To make iDoubs accept them I need to specify them inside setSSLCertificates, and brings up other problems I can post about subsequently - but I should not have to get to making changes inside these functions when Doubango seems to provide higher level wrappers) 

d) When I make a call, I see in INVITE a=crypto but no a=fingerprint. I assume that’s because DTLS was not enabled due to key failure

[Mamadou]

If you enable TLS and set a private key then, you should set the CA and priv-key. To ease your life, don't enable TLS for now.
Your public key is not valid. It must start with "-----BEGIN CERTIFICATE-----". This is what the openssl error says.
Try something like:
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key  -out www.example.com.cert
use "www.example.com.cert" (change extension to *.pem) as public key and "www.example.com.key" (change ext. to *.pem) as private key. Haven't tested but should work.
You're saying that iDoubs is picking it's own values but I don't see how it's possible. From your breakpoint, check each function in the call stack to see where this value is coming from.
All the code you added *MUST* be *AFTER* [[NgnEngine sharedInstance] start];

--
You received this message because you are subscribed to the Google Groups "discuss-doubango" group.
To unsubscribe from this group and stop receiving emails from it, send an email to doubango+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Mamadou DIOP - Technology Evangelist
Doubango Telecom - Paris, France
http://www.doubango.org
Click here to call me!

[user1087]

Thanks Mamadou. My final goal is to use TLS and enable DTLS (I need to get to a point when the outgoing invite adds a a=fingerprint in SDP).

I've used your example below and generated the public /private pair. What should I use as the CA file? 

(Also, I've now added my code after the NGNEngine start)

[Mamadou DIOP]

As already said for now don't enable TLS unless you want to make your life harder. If mutual authentication is not enable TLS doesn't require CA.

Try to split your goal into two parts: DTLS then TLS.

If you try with the newly created public key, you should see a fingerprint SDP header. If not the case, share the logs.

[user1087]

Okay, here is the log so far (no fingerprint yet) (attached)

a) Disabled TLS in Transport (made it UDP, also tried with TCP)

b) Moved the code to _after_ NGNEngine start in AppDelegate 

NSString * pubkey = [[NSBundle mainBundle] pathForResource:  @"public" ofType: @"pem"];

MediaSessionMgr::defaultsSetSRtpType(tmedia_srtp_type_dtls);
    MediaSessionMgr::defaultsSetSRtpMode(tmedia_srtp_mode_mandatory);

    [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_PUB andValue:pubkey];

I set a breakpoint at setSSLCertificate --> that was never invoked, because I disabled TLS in transport as you requested. It seems sip2sipinfo went  down when I Was testing so you won't see 200 OK for REGISTER. 

On another note, I was confused by two of your suggestions, but since you know your stack much better than I can hope to, I've done as you've suggested

My confusion:

a) It seems the entire TLS certificate binding happens as part of calling NGN Engine start - hence I had put my code before it to set the values

b) You asked me to disable TLS, which I did, but if I disable TLS, the  setSSLCertificate code never gets called, so I am not sure it is used anywhere

[Mamadou]

1) remove *all* changes you added to the source code
2) svn update both doubango and idoubs
3) add "public.pem" to idoubs' resources
4) run idoubs
5) goto settings -> idoubs -> network and set srtp mode = mandatory
6) goto settings -> idoubs -> network and set srtp type = DTLS
7) goto settings -> idoubs -> network and set Public Key = public
Please note that Public key is equal to "public" without the ".pem"

[user1087]

Mamadou, I've been setting breakpoints in iDoubs.

Based on what I've seen so far:

a) The only code that uses the public certificate is in NgnSipService.mm:1140 --> and that is only called when tls is transport. So if I disable tls, no other code seems to be calling setSSLCertificates. 

b) While debugging, I saw that when iDoubs sends an INVITE, in tdav_session_av:224, you have code that says #if HAVE_SRTP, and if rtcweb is enabled then you force to type_sdes, which therefore overrides my previous setting of dtls. I changed that to srtp_type_dtls

c) However, now that TLS is disabled, it seems the public certificate I specified does not get applied anywhere, so in tmedia_session.c:214, the value of dtls.file_pbk is NULL and eventually tdav_sesson_av.c:420 check of file_pbk being NULL is true and it prints DTLS-SRTP requested but no SSL certificates provided, disabling this option :(

So bottom line, seems just doing 

 MediaSessionMgr::defaultsSetSRtpType(tmedia_srtp_type_dtls); 
    MediaSessionMgr::defaultsSetSRtpMode(tmedia_srtp_mode_mandatory);
    [[NgnEngine sharedInstance].configurationService
     setStringWithKey:SECURITY_SSL_FILE_KEY_PUB andValue:pubkey]; 

doesn't seem to be working because iDoubs is overriding type_dlts when I send an INVITE with rtcweb on, plus disabling TLS does not seem to apply the public certificate at all.

 

[user1087]

Just noticed you posted a note above - I'll update my copy of iDoubs and revert. Thanks for your attention.

[user1087]

Quick question:in step 7 where you say set it to public without .pem --> the default value in settings in the UI is full path+public.pem --> I assume I delete that entire default and just type in public?

[Mamadou]

Just set it to "public" without Any path or extension

Sent from my iPhone

[user1087]

Okay, so when I set profile = Default, I see a=fingerprint (yay!)

But when I set profile=RTCWeb, I don't see it. Is that expected? I'll debug more and provide inputs (I still see tdav_session_av.c:224 changing to SDES if profile=RTCWeb - changing that to dtls does not seem to make a difference)

[user1087]

Mamadou, quick correction:

 I modified tdav_session_av.c:222 

Original:

self->srtp_type = (profile == tmedia_profile_rtcweb) ? tmedia_srtp_type_sdes : tmedia_defaults_get_srtp_type();

New:

self->srtp_type = (profile == tmedia_profile_rtcweb) ? tmedia_srtp_type_dtls: tmedia_defaults_get_srtp_type();

Now, I get a=fingerprint even with RTCWeb profile

As a next step, I am going to try a call to SipML5 (not sure if it supports DTLS, but I'll give it a try)

I looked at the changes you did in the updated iDoubs --> thanks for making them. I plan to get a similar scenario working for Android (IMSDroid) after I finish up with iOS. Do you know if IMS Droid has been tested to work with DTLS and is it similar to the changes made to iOS in this thread?

thx

[Mamadou DIOP]

This is *not* a good idea at all. RTCWeb profile is to enable SDES for chrome instead of DTLS. DTLS implementation in chrome is still buggy.

[Mamadou DIOP]

forget to add RTCWeb also enable ICE. To call SIPML5 you must also enable ICE.

To test DTLS, use Firefox instead of chrome.

[user1087]

Okay, thanks. I need to move away from SDES because that's now a MUST NOT and DTLS-SRTP is MUST. Chrome has announced it will discountinue SDES support middle 2014.

 I'll set up a call b/w SipML5 on FF and iDoubs via DTLS+RTCWeb and report

[user1087]

Okay, here is the log for a call from iDoubs (RTCWeb+DTLS, TLS disabled) to SipML5 using the latest Firefox build for mac. the call gets established but there is no audio or video. 

testuser002 ==> idoubs

10210211210 ==>sipML5/FF

ICE is enabled, Profile==RTCWeb, DTLS & SRTP Mandatory set on iDoubs (also with the change in iDoubs that I wrote about earlier - keeping DTLS with RTCWeb)

thanks

[Mamadou DIOP]

I understand that DTLS is required for you but the change you've done is not enough and you will probably break another part.

For the the audio issue, openssl is requesting for the private identity. 

--
You received this message because you are subscribed to the Google Groups "discuss-doubango" group.
To unsubscribe from this group and stop receiving emails from it, send an email to doubango+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

<idoubs-sipmlFFDTLSnoTLS.txt>

[Mamadou DIOP]

On Jan 22, 2014, at 11:07 AM, Mamadou DIOP <diopm...@doubango.org> wrote:

I understand that DTLS is required for you but the change you've done is not enough and you will probably break another part.

For the the audio issue, openssl is requesting for the private identity. 

private *key*

[Mamadou DIOP]

additional information: webrtc2sip and idoubs use the same code which means if one work the other should work. We have a click2call service using webrtc2sip, to test it with your Firefox (FF) version, open doubango.org and click on the "call us" button. If you hear the voice mail (sip2sip.info account) this means your FF is supported and idoubs must work if correctly configured. Also, FF hate self-signed certificates. For example, you cannot use secure web socket with set-signed certs but never tried with DTLS. If you have any DTLS handshaking issue the first thing to check is the certs validity.

[user1087]

Mamadou, thanks for the stellar support so far. I'd like to make sure I understood what you said correctly, because I have an upcoming demo in a few weeks and need to set the right expectations internally on what can be achieved. Based on what you said:

a) It looks like iDoubs is not currently set up to make a successful DTLS+RTCWeb call - is that a correct statement?

b) You have also made a comment that if iDoubs is setup correctly, then it will work with FF SipML5. I just tested doubango.org and  I did reach the voicemail, so I assume FF is supported. By iDoubs being set up correctly, do you mean also specifying a correct private and public cert? Or is there more? If it is only specifying the private key and cert, your example earlier of using openssl to generate a public key also generated the public key. Can I use that private key to generate my certificate as per http://www.akadia.com/services/ssh_test_certificate.html ? You have also said 'FF hates self-signed certificates' - so does this mean it will not work?

c) I am not using websockets, so its only DTLS for now.

[Mamadou DIOP]

What I can say is if you use signed certs in idoubs it will work (I highly recommend not changing any code). I don't know if FF will accept self-signed certs or not (not tested). I know you are not using web socket and it was just an example where self-signed certs are not accepted.

[user1087]

Okay, let me take it a step at a time, first with self-signed. If that doesn't work, I'll buy signed certs 

I have two questions:

1) Why isSipML5 over FF asking for private key? TLS is disabled, and per our earlier conversation, private+cert is not required if TLS is disabled.

2) Do you have a suggestion on how to generate the CA cert? I generated the public/private key as per your suggestion: openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key  -out www.example.com.cert --> it seems there are several ways to generate the cert, and if you have an example of what will work, that can help a lot in time savings for me.

[user1087]

Update:

1) Generated private and public key using your earlier instructions (private.pem, public.pem)

2) Disabled RTCWEb profile in iDoubs, just using default profile (so no code change from me), disabled TLS, only enabled DTLS, SRTP Mode==mandatory

3) Made a call to SIPML5 on FF

Error is:

MSG: DTLS handshake failed [error:14136168:SSL routines:SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT:bad srtp protection profile list]

Detailed logs attached

On Wednesday, January 22, 2014 5:34:34 AM UTC-5, Mamadou wrote:

[Mamadou DIOP]

On Jan 22, 2014, at 12:06 PM, user1087 <arj...@gmail.com> wrote:

Okay, let me take it a step at a time, first with self-signed. If that doesn't work, I'll buy signed certs 

I have two questions:

1) Why isSipML5 over FF asking for private key? TLS is disabled, and per our earlier conversation, private+cert is not required if TLS is disabled.

Not required doesn't mean it will work with Firefox. When I wrote these line I even didn't know you're trying to call a browser.

Public key only is enough to have DTLS enabled and working. The fact that the remote peer is asking to check the validity of the public key (requires private key) is implementation-specific.

2) Do you have a suggestion on how to generate the CA cert? I generated the public/private key as per your suggestion: openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key  -out www.example.com.cert --> it seems there are several ways to generate the cert, and if you have an example of what will work, that can help a lot in time savings for me.

I'll try with self-signed certs by myself (can say when). Otherwise, I think this thread will be endless.

[Mamadou]

Got same issue. The problem was the openssl version (1.0.1beta) used in iOS (known issue). I updated it to 1.0.1e (same as what is used on Windows and Linux).
Tested audio and video calls from iDoubs (iPhone 5, iOS 6) to Firefox  25.0 (OS X 10.8.5). Also FF -> iDoubs.

- Update Doubango to r1019: https://code.google.com/p/doubango/source/detail?r=1019
- Now "public.pem" and "private.pem" are part of the source (iDoubs SVN r252). You no longer need to add them but still required to change the settings->idoubs->network->certificates.
- You must enable ICE. For video, VP8 is required.

--
You received this message because you are subscribed to the Google Groups "discuss-doubango" group.
To unsubscribe from this group and stop receiving emails from it, send an email to doubango+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[user1087]

Great thanks. Have you made changes to the xcode project in addition to adding the pem files? The new checked out version only builds the stack but not the idoubs app. I'm checking what may have changed.

[user1087]

Mamadou, I tested the new iDoubs. DTLS handshake is working. But some issues:

iDoubs setting: private.pem, public.pem, TLS off, VP8=on, audio=Opus/PCMU/PCMA, Profile=Default

a) Video call from SipML (FF) to iDoubs partially works --> I see video, but there is no audio. 

b) Video call from iDoubs to SipML (FF) doesn't work - no video nor audio

iDoubs setting: private.pem, public.pem, TLS off, VP8=on, audio=Opus/PCMU/PCMA, Profile=RTCWeb - the call fails in both cases

Do you want me to post logs?

[user1087]

Here are the logs - call from iDoubs to FF/SipML

VP8 is on, DTLS is on, TLS is off, ICE is on

call gets set up, but no audio, no video. When I hit terminate in iDoubs, there is a whole lot of audio echo loopback that comes up on the iDoubs client - I need to kill iDoubs after that

[user1087]

Forgot to add:

iDoubs is on 5s:ios 7.0.4

SIPML is on FF v26, OSX 10.9.1

iDoubs v252

[user1087]

Awesome - IT works!!

No idea what I was doing wrong earlier, but a coffee break helps.

I made a successful DTLS, Normal call to sipML5 on FF - audio/video worked

I made a successful DTLS, RTCweb call to sipML5 on FF - audio/video worked (* see caveat)

*caveat: I modified tdav_session_av.c:225  to force it to type_dtls (instead of type_sdes)

However, I am not sure if the RTCweb profile was applied correctly with this hack 

Here is the successful DTLS+Normal log vs DTLS+RTCWeb log. Can someone confirm if the latter actually was an RTCweb call? I noticed FEC=0, I think it should have been 1 in RTCWeb?

BTW in both cases, there as huge loopback echo when I terminated the call on iDoubs --> only way out was to kill iDoubs

[Rajaraman Subramanian]

Hi,

I have closely followed this thread and this is the only source where somebody else has been trying to do close to what I have been trying to do. 

Following is the my use case and the problem faced. Any help would be really helpful.

********************************************************

We have setup our own webrtc2sip server and Asterisk . This setup works fine from a browser (i.e able to make outgoing call to mobile phone) and I am now trying to setup the same in iOS (iOS 7.1) using idoubs (ios-ngn-stack).

As part of the setup we have used our own web socket server. I have tried configuring the following things to start with

1. DTLS & SRTP Mandatory set on iDoubs.
2. Enabled webrtc2sip mode (tsip_stack_mode_webrtc2sip)
3. Set the web socket details via SipSession::setWebSocketSrc(const char* host, int32_t port, const char* proto)
4. Also provided the public.pem and private.pem via NgnSipStack setSSLCertificates So far I have not been able to REGISTER.

I am not even sure whether the communication happens over web socket and I also do not see the a=fingerprint for DTLS.

Can somebody throw some light on this?

Rajaraman