| Summary: | ASTERISK-28167: 256 cipher during outgoing calls | ||
| Reporter: | Evgeny (nodorgrom) | Labels: | pjsip |
| Date Opened: | 2018-11-16 01:01:58.000-0600 | Date Closed: | 2020-01-14 11:13:49.000-0600 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | pjproject/pjsip |
| Versions: | 15.6.1 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Debian 9 x86_64 OpenSSL 1.1.0f 25 May 2017 openssl ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA | Attachments: | |
| Description: | Outgoing calls from (through) Asterisk 15.6.1 to Bria Mobile 5.4.3.108509 coudn't have cipher more than 128 cipher in SDP.
Asterisk doesn't provide more that one cipher for establishing media in SDP {noformat} [ log ] [ endpoint -> Asterisk 15.6.1 (PJSIP) -> Bria Mobile ] xv=0 xo=- 1214669129 1214669129 IN IP4 172.25.73.249 xs=Asterisk xc=IN IP4 172.25.73.249 xt=0 0 xm=audio 19716 RTP/SAVP 18 8 0 101 xa=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:8uS5QdiGu0CCxCf7BiBNbn58/CemIGWucwznTmpv xa=rtpmap:18 G729/8000 xa=fmtp:18 annexb=no xa=rtpmap:8 PCMA/8000 xa=rtpmap:0 PCMU/8000 xa=rtpmap:101 telephone-event/8000 xa=fmtp:101 0-16 xa=ptime:20 xa=maxptime:150 xa=sendrecv {noformat} During incoming call SDP has multiple ciphers {noformat} [ log ] [ Asterisk 15.6.1 (PJSIP) <- Bria Mobile ] xv=0 xo=- 1192253840736 1 IN IP4 91.25... xs=Cpc session xc=IN IP4 91.25... xt=0 0 xm=audio 48112 RTP/SAVP 18 101 xa=rtpmap:18 G729/8000 xa=fmtp:18 annexb=no xa=rtpmap:101 telephone-event/8000 xa=fmtp:101 0-15 xa=crypto:1 AES_256_CM_HMAC_SHA1_80 inline:4eKmAS423WOe8GKpO5HuvIZ+T+0326FzMsNT6zXVOCNUrMVmVl6UN8893v1x3Q== xa=crypto:2 AES_256_CM_HMAC_SHA1_32 inline:r4afx6ibhJnuI3pwR3pAcu8aJKt9hHGSVh8nVW6bqCMSBAndVyuSEvXkgvAPcw== xa=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:O+pJcaai9betFXvpYY80cdawCHGlXeeSp9mlAg+5 xa=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:usEncd0HMQ2+5bvTOKoJ03PnzLUxp8fabIw7fyII xa=sendrecv xa=nortpproxy:yes {noformat} Clients agree to 256 cipher [ log ] https://community.asterisk.org/t/pjsip-cipher-256/77157/11?u=nodorgrom | ||
| Comments: | By: Asterisk Team (asteriskteam) 2018-11-16 01:01:59.465-0600 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Asterisk Team (asteriskteam) 2018-11-16 01:01:59.871-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Kevin Harwell (kharwell) 2018-11-16 15:58:00.000-0600 Not a security issue, so moved to "bug" type By: Kevin Harwell (kharwell) 2018-11-16 16:07:57.432-0600 We require additional debug to continue with triage of your issue. Please follow the instructions on the wiki [1] for how to collect debugging information from Asterisk. For expediency, where possible, attach the debug with a '.txt' file extension so that the debug will be usable for further analysis. Please also include the SIP trace in the log. You can enable SIP debug for the pjsip channel driver by either using the 'pjsip set logger on' CLI command [1], or setting the 'debug' option in the _pjsip.conf_ file [2] Also please attach your _pjsip.conf_ configuration (at least the relevant parts). Thanks! [1] https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information [2] https://wiki.asterisk.org/wiki/display/AST/Asterisk+16+Configuration_res_pjsip By: Asterisk Team (asteriskteam) 2018-12-01 12:00:01.642-0600 Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1]. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines By: Alexander Traud (traud) 2019-02-19 03:54:54.409-0600 AES-256 was added via ASTERISK-26190. If a Bug Marshall had linked that, I might have seen this issue report earlier. Anyway, please, note it’s description, especially the last sentence: {quote}When you have to go for additional suites on egress, enable those via CFLAGS \[…\]{quote}Consequently, as of today, you cannot enable/configure AES-256 at runtime. Instead, you have to re-configure your Asterisk and compile it again: {code}make distclean CFLAGS='-DENABLE_SRTP_AES_256' ./configure make sudo make install{code} If that does not work (anymore; it works here in my Asterisk 13), please, create a new issue report. However, if you want to have this configured at runtime, this would be a [Feature Request…|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Bug+Bounties] | ||