ASTERISK-25265: [patch]DTLS Failure when calling WebRTC-peer on Firefox 39 - add ECDH support and fallback to prime256v1

[Home]

Summary: ASTERISK-25265: [patch]DTLS Failure when calling WebRTC-peer on Firefox 39 - add ECDH support and fallback to prime256v1

Reporter: Stefan Engström (StefanEng86) Labels:

Date Opened: 2015-07-17 15:19:56 Date Closed: 2015-08-05 05:29:30

Priority: Major Regression?

Status: Closed/Complete Components: Core/BuildSystem Resources/res_rtp_asterisk

Versions: SVN 13.1.0 13.4.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) asterisk-ecdh.patch
( 1) res_rtp_asterisk.patch

Description: This issue has already been reported by http://forums.asterisk.org/viewtopic.php?f=1&t=95417

Whenever calling a webrtc peer which uses firefox version 39 (or 40 beta), I get error messages like "res_rtp_asterisk.c: DTLS failure occurred on RTP instance '0x7fefe800e9e8' due to reason 'no shared cipher', terminating" after the SDP exchange, and the call terminates.

Hopefully you can reproduce it yourself on the latest version of asterisk by using
http://www.sipml5.org/call.htm (I'm not sure if asterisk is doing anything wrong or just firefox/sipml5)

I will provide more info if it's not easily reproducable.

Comments: By: Asterisk Team (asteriskteam) 2015-07-17 15:19:58.323-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Mark Duncan (mwduncan) 2015-07-24 02:25:53.662-0500

I can confirm this in asterisk-13.1-cert2 (with the small patch to fix the DTLS handshake on newer OpenSSL versions manually applied). I have tried with Firefox and Firefox Developer Edition and both show the exact same issue. An incoming call is immediately dropped when attempting to answer. Chrome works as expected. The error shown in the Asterisk console is as follows

{{[Jul 24 07:24:48] ERROR[1336]: res_rtp_asterisk.c:2042 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f77bc007888' due to reason 'no shared cipher', terminating}}
By: Mark Duncan (mwduncan) 2015-07-24 03:44:48.900-0500

Seems related to Perfect Forward Secrecy https://hacks.mozilla.org/2015/02/webrtc-requires-perfect-forward-secrecy-pfs-starting-in-firefox-38/

I have a small patch that fixed Firefox Developer Edition for me. Waiting for the CLA to get approved so I can submit it.
By: Mark Duncan (mwduncan) 2015-07-28 05:20:25.588-0500

Attached patch will add ECDH support to Asterisk. It will detect auto ECDH in OpenSSL (1.0.2b and above) during ./configure. If this is available, it will use it, otherwise it will fall back to prime256v1 (this behavior is consistent with other projects such as Apache and nginx).

This fixes WebRTC being broken in Firefox 38+ due to Firefox now only supporting ciphers with perfect forward secrecy.

Tested against master and 13.1-cert2.

Apply with {{patch -p1 < [path to patch]}} in your Asterisk source dir to apply it.
By: Rusty Newton (rnewton) 2015-07-28 09:14:05.677-0500

Once you've followed the Code Review process [1] and submitted your code to Gerrit [2] be sure to edit this JIRA issue and add the Gerrit review URL in the appropriate field.

Thanks!

[1] https://wiki.asterisk.org/wiki/display/AST/Code+Review
[2] https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage

By: Mark Duncan (mwduncan) 2015-07-28 21:33:54.033-0500

Rusty, I can't seem to do anything with this issue other than add comments, but the Gerrit review is showing up under the "Gerrit Reviews" tab.
By: Stefan Engström (StefanEng86) 2015-07-29 06:31:14.551-0500

Thank you, Mark Duncan. I tested the original patch you attached to this JIRA and it seems to work fine.
By: Mark Duncan (mwduncan) 2015-07-29 07:06:34.227-0500

Glad it helped you! I ran in to this problem myself just last week and that's how I found your report. I wouldn't be surprised if Chrome makes the same change eventually. The only difference between what is attached here and what is on Gerrit is indentation.

A couple other patches you might be interested in (these are things that got me with 13.1-cert2)

ASTERISK-24711 - Installing Asterisk with a new version of OpenSSL (what is included in an up to date Ubuntu 14.04 for example) results in a broken DTLS handshake. This patch fixes it. If you haven't applied this patch and your distro updates OpenSSL, you'll run in to this.

ASTERISK-25096 - Websocket related segfault. I ran in to this when a client would go in to sleep mode and then wake up. It would instantly segfault Asterisk. It was a big patch (I just pulled the latest patch from Gerrit), but it works.

With those 2 patches and the patch for ECDH support, 13.1-cert2 has been pretty solid for me so far.
By: Kirill Marchuk (62mkv) 2015-07-29 22:57:18.369-0500

Hi

Obviously this affects all current versions of Asterisk, not only 13.1.

Any info as of when will this patch be introduced as a part of a stable release ? (and which version it is expected to be)

Thanks
By: Steve Davies (one47) 2015-08-05 05:10:18.522-0500

Hi, I've seen the patches on Gerritt for this, but just reading the code, I believe this code will leak a key when using the non-"auto" version of the ECDH support, as it is necessary to call
EC_KEY_free(key)
after using
EC_KEY_new_by_curve_name()
according to all the examples I have seen.

I tried to add this as a review comment in Gerritt on Change 1029, but my comment is stuck in 'Draft' and I cannot see how to commit it from the webpage.

By: Joshua C. Colp (jcolp) 2015-08-05 05:18:59.283-0500

The review was merged 2 days ago, the only subsequent change that can be done is a new review.
By: Joshua C. Colp (jcolp) 2015-08-05 05:29:12.790-0500

Reviews have been created which fix it.
By: Kirill Marchuk (62mkv) 2015-08-05 05:36:33.744-0500

so, which Asterisk version has (or will have) this bug fixed ?
By: Joshua C. Colp (jcolp) 2015-08-05 05:40:24.151-0500

13.6.0
By: Kirill Marchuk (62mkv) 2015-08-05 05:53:19.692-0500

Sorry for probably "ignorant" question.. I see that 13.5.0 is not release yet; so may be it is possible to have this patch included in 13.5.0 ? Just asking...
By: Joshua C. Colp (jcolp) 2015-08-05 05:57:23.543-0500

13.5.0 is in release candidate status, unless issues occur from code in the release candidate itself (and so far nothing has come up) then a release candidate does not get changed. Adding additional stuff would turn it into a moving target.
By: Krzysztof Urbaniak (urbaniak) 2015-08-11 07:12:22.375-0500

I've applied that patch to 13.5.0-rc1 and when trying to answer call from firefox I've got:

[Aug 11 12:06:32] ERROR[7505][C-00000005]: res_rtp_asterisk.c:2093 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f16a800a1a8' due to reason 'missing tmp ecdh key', terminating
[Aug 11 12:06:32] WARNING[7505][C-00000005]: res_rtp_asterisk.c:3957 ast_rtcp_read: RTCP Read error: Unspecified. Hanging up.

Does it require some additional configuration?
By: Mark Duncan (mwduncan) 2015-08-11 20:34:18.634-0500

Krzysztof, what version of OpenSSL are you using and on what distro? I haven't tried 13.5 yet, but I've had no problems on 13.1 and 13.4 with it. It seems like it may be a problem with your OpenSSL library. But, no, there's no additional configuration needed (aside from running ./configure of course).
By: Eugene Voityuk (sarumjanuch) 2015-08-28 10:27:20.064-0500

Patch for same issue but for asterisk 11.19. didn't test with other versions. [^ res_rtp_asterisk.patch]
By: Eugene Voityuk (sarumjanuch) 2015-08-28 10:27:29.476-0500

I was trying to backport original patch to asterisk 11, with no succes, also i belive original patch requires latest version of OpenSSL, so i did other patch, withc works with latest opnessl from Centos repository. For me it did fix issue with Firefox. [^ res_rtp_asterisk.patch]