| Summary: | ASTERISK-24711: DTLS handshake broken with latest OpenSSL versions | ||
| Reporter: | Jared Biel (jared.biel@bolderthinking.com) | Labels: | |
| Date Opened: | 2015-01-22 11:13:36.000-0600 | Date Closed: | 2015-01-29 06:10:45.000-0600 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | |
| Versions: | 13.1.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The latest versions of OpenSSL recently cleaned up some DTLS vulnerabilities and one of them (I believe it's CVE-2015-0206) caused RTP DTLS handshakes to stop working. This means that all WebRTC calls fail to negotiate audio. I came across this issue using a fully updated Ubuntu 14.04 server running OpenSSL 1.0.1f-1ubuntu2.8 and Asterisk 13.1.0.
Upstream report: http://rt.openssl.org/Ticket/Display.html?id=3657 The one-line workaround mentioned in the ticket worked for me. Patch: \[mjordan\]: Code redacted. *NOTE*: Unfortunately, we cannot accept even one-line patches in comment. If you'd like to contribute this patch to Asterisk, please sign a license contributor agreement and attach the patch in unified diff format. | ||
| Comments: | By: Matt Jordan (mjordan) 2015-01-22 14:38:22.248-0600 Some additional links: * https://groups.google.com/forum/#!topic/discuss-webrtc/TqZ9N0eTn24 * https://mta.openssl.org/pipermail/openssl-dev/2015-January/000400.html By: Matt Jordan (mjordan) 2015-01-22 15:58:39.224-0600 More information: https://code.google.com/p/chromium/issues/detail?id=447431 By: Jared Biel (jared.biel@bolderthinking.com) 2015-01-22 16:06:15.765-0600 My appologies - I have signed the contributor agreement and will submit the patch again once it's been accepted on your side. Thanks! Edit: after reading some of the provided links, it seems that this problem may be deeper/have further things to patch up. I will leave the issue resolution/patching to the experts. By: Jared Biel (jared.biel@bolderthinking.com) 2015-01-28 16:17:12.715-0600 There have been commits against openssl that fix this issue (see [originally linked openssl rt ticket|http://rt.openssl.org/Ticket/Display.html?id=3657] for more details.) However, I'm unsure if these fixes are going to be considered for inclusion in the next round of security/regression fixes for every distribution ([debian discussion|https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502].) By: Joshua C. Colp (jcolp) 2015-01-29 06:10:37.497-0600 Thanks for your comments! I've put the required change into 11, 13, and trunk. | ||