| Summary: | ASTERISK-28018: IP Fragmentation happening instead of DTLS fragmentation on handshake server hello certificate | ||||||
| Reporter: | vijay kumar (vijaykumar@drishti-soft.com) | Labels: | security webrtc | ||||
| Date Opened: | 2018-08-21 04:15:28 | Date Closed: | 2019-06-17 08:41:25 | ||||
| Priority: | Major | Regression? | |||||
| Status: | Closed/Complete | Components: | Resources/res_rtp_asterisk | ||||
| Versions: | 13.16.0 15.5.0 | Frequency of Occurrence | |||||
| Related Issues: |
| ||||||
| Environment: | Attachments: | ( 0) dtls_ip_fragment.pcapng | |||||
| Description: | When checking in wireshark.
IP Fragmentation happening instead of DTLS fragmentation on handshake server hello certificate. How can i avoid ip fragmentation in case of webrtc and asterisk 13. dtls handshake server hello certificate packet.? | ||||||
| Comments: | By: Asterisk Team (asteriskteam) 2018-08-21 04:15:31.268-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Asterisk Team (asteriskteam) 2018-08-21 04:15:32.035-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 04:19:14.833-0500 DTLS PCAP wireshark By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 04:20:37.164-0500 i also tried <code removed> in dtls_details_initialize function in res_rtp_asterisk.c but still ip fragmentation happening in wireshark. By: Joshua C. Colp (jcolp) 2018-08-21 05:18:01.775-0500 It appears the bug you have submitted is against a rather old version of a supported branch of Asterisk. There have been many issues fixed between the version you are using and the current version of your branch. Please test with the latest version in your Asterisk branch and report whether the issue persists. Please see the Asterisk Versions [1] wiki page for info on which versions of Asterisk are supported. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 05:20:07.004-0500 Yes i also tried asterisk 15.5.0 . and still IP fragmentation happening By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 05:21:13.661-0500 In asterisk 15.5.0 ...checked with with same. but no luck...still ip fragmentation happening By: Joshua C. Colp (jcolp) 2018-08-21 05:21:59.117-0500 What is the precise problem you are experiencing? Is the DTLS negotiation failing as a result? What is the precise scenario? You need to provide more information about the scenario. By: Joshua C. Colp (jcolp) 2018-08-21 05:22:21.228-0500 In the future as well do not file security issues that aren't for security issues. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 05:25:39.366-0500 Scenario : When we using GCP with asterisk ... then on few Internet service provider (IAXN).... it blocks the ip fragmentation....and server hello is not received on client side..wireshark capture ...so that voice is not coming. so we are trying to change the fragmentation at application layer, so that ip fragmentation will be avoided...and client could receive server hello certificate handshake message and voice will be coming properly. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 05:59:58.776-0500 On different Internet Service provide (eg spectra ) its working fine voice is coming...but we could not change ISP at customer end..so need to set DTLS fragmentation at application layer....so that voice issue will be solve. By: Richard Mudgett (rmudgett) 2018-08-21 10:48:53.279-0500 The problem is in OpenSSL and not Asterisk as described in the comments on ASTERISK-26544. The only way to fix this would be for Asterisk to know how DTLS is formatted and fragment the DTLS negotiation packets created by the OpenSSL BIO we use or make the BIO support a fixed MTU like other BIO's have. Neither of these options are likely. Asterisk should not have to know how DTLS is formatted as that is OpenSSL's job. Changing OpenSSL is rather difficult as so many things use it. As a workaround you need to use smaller keys to fit into the network's MTU. Though that may be difficult to do with trust chains making the keys larger. By: Joshua C. Colp (jcolp) 2018-08-21 11:03:23.945-0500 Unfortunately per the comment from [~rmudgett] this is a problem in OpenSSL itself with no workaround. If you'd like to contribute something which fixes the problem that would be welcome. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-21 11:24:53.377-0500 currently asterisk running on openssl 1.0.2 . and there is udp_dtls_echo program written in c.. in which dtls fragmentation perfectly happen. just in case of asterisk its ip fragmentation. By: Asterisk Team (asteriskteam) 2018-08-21 11:24:53.701-0500 This issue has been reopened as a result of your commenting on it as the reporter. It will be triaged once again as applicable. By: Richard Mudgett (rmudgett) 2018-08-21 11:30:25.984-0500 IIRC, That program uses the BIO that connects directly to a socket. That BIO is unusable by Asterisk. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-26 02:25:10.460-0500 so is there anyway to use bio that connects directly to a socket in res_rtp_asterisk.c or we have to figure this out in opensource open ssl ...?? By: Asterisk Team (asteriskteam) 2018-08-26 02:25:11.817-0500 This issue has been reopened as a result of your commenting on it as the reporter. It will be triaged once again as applicable. By: Richard Mudgett (rmudgett) 2018-08-27 11:57:01.971-0500 That question was already answered by my last comment, by the analysis presented on the linked issue, and by the summary of the linked issue when I pointed to the linked issue. By: vijay kumar (vijaykumar@drishti-soft.com) 2018-08-30 09:12:56.987-0500 we have tried to reduce the certificate size.. its working on local but certificate is not recognizing on Google Cloud Platform by browser as certificate is self signed. so we tried to purchase new one.. but no Certificate Autority is issuing less size certificate. Can you please provide any suggestion so that we can use that as workaround? By: Asterisk Team (asteriskteam) 2018-08-30 09:12:57.139-0500 This issue has been reopened as a result of your commenting on it as the reporter. It will be triaged once again as applicable. By: Malcolm Davenport (mdavenport) 2018-08-30 09:17:48.501-0500 This issue tracker doesn't serve as a peer support platform. You're welcome to use other resources for that purpose. By: Friendly Automation (friendly-automation) 2019-06-17 08:41:26.789-0500 Change 11467 merged by Joshua Colp: res_rtp_asterisk: Add support for DTLS packet fragmentation. [https://gerrit.asterisk.org/c/asterisk/+/11467|https://gerrit.asterisk.org/c/asterisk/+/11467] By: Friendly Automation (friendly-automation) 2019-06-17 08:41:49.720-0500 Change 11469 merged by Joshua Colp: res_rtp_asterisk: Add support for DTLS packet fragmentation. [https://gerrit.asterisk.org/c/asterisk/+/11469|https://gerrit.asterisk.org/c/asterisk/+/11469] By: Friendly Automation (friendly-automation) 2019-06-17 08:42:14.717-0500 Change 11468 merged by Joshua Colp: res_rtp_asterisk: Add support for DTLS packet fragmentation. [https://gerrit.asterisk.org/c/asterisk/+/11468|https://gerrit.asterisk.org/c/asterisk/+/11468] | ||||||