[Freeswitch-users] WebRTC using rtp_sdes_suites=AES_CM_128_HMAC_SHA1_80
Michael Jerris
mike at jerris.com
Wed May 9 19:58:01 UTC 2018
I’m not sure exactly what it will take resource wise. I will say that this has nothing to do with https certificates and what is accepted for that in the browser. We took a peek at it today and see for sure its hardcoded and needs some work.
Mike
> On May 9, 2018, at 3:54 PM, Jerry Chinn <JHChinn at TheNavisWay.com> wrote:
>
> Michael,
>
> Thanks for answering my question.
> Since the SHA-1 hash function is considered vulnerable, will there be an effort to modify the hard coded entry to one that isn’t as vulnerable?
> Starting with version 56, Google Chrome will mark all SHA-1-signed HTTPS certificates as unsafe. Other major browser vendors plan to do the same.
> Since we are using this for WebRTC it seems that a modification to the code is warranted.
>
> Your thoughts?
>
>
> Jerry Chinn
> Telecom VoIP Specialist
> NAVIS More Performance. More Profit.
> tel 541-330-3562
> www.TheNavisWay.com <http://www.thenavisway.com/>
> Facebook <https://www.facebook.com/theNAVISway/> | Twitter <https://twitter.com/NAVISway> | LinkedIn <https://www.linkedin.com/company/navisway> | Blog <https://www.thenavisway.com/blog>
>
> From: FreeSWITCH-users [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Michael Jerris
> Sent: Wednesday, May 09, 2018 12:02 PM
> To: FreeSWITCH Users Help
> Subject: Re: [Freeswitch-users] WebRTC using rtp_sdes_suites=AES_CM_128_HMAC_SHA1_80
>
> on DTLS this setting is currently a no-op and the suites it uses are hard coded.
>
>
> On May 9, 2018, at 2:21 PM, Mirko Brankovic <mirkobrankovic at gmail.com <mailto:mirkobrankovic at gmail.com>> wrote:
>
> Hi,
> I had a same problem.
> Was debugging a different handshake problem, and wanted to try other chipers, but failed.
> Looks like the setting is not applied at all, and would be nice to use cheeper (network wise) encroption
>
> On Wed, May 9, 2018, 00:52 Aqs Younas <aqsyounas at gmail.com <mailto:aqsyounas at gmail.com>> wrote:
> I would also be interested to know if you make this work.
>
> Best Regards,
>
> Aqs Younas
>
> On 8 May 2018 at 22:11, Jerry Chinn <JHChinn at thenavisway.com <mailto:JHChinn at thenavisway.com>> wrote:
> Good Day,
> Running FS 1.6.17 on CentOS 7.4
>
> We are running WebRTC and are required to use AEAD_AES_256_GCM_8 or AEAD_AES_128_GCM_8 for security.
> I have eliminated all of the options in the vars file except rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8.
>
> Calls are successfully completing, however, in debug we are seeing AES_CM_128_HMAC_SHA1_80 as the sdes suite for srtp:dtls.
>
> 2018-05-04 22:38:30.429310 [INFO] switch_rtp.c:3185 Changing audio DTLS state from HANDSHAKE to SETUP
> 2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3094 audio Fingerprint Verified.
> 2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3908 Activating audio Secure RTP SEND
> 2018-05-04 22:38:30.450549 [DEBUG] switch_core_sqldb.c:2617 Secure Type: srtp:dtls:AES_CM_128_HMAC_SHA1_80
> 2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3886 Activating audio Secure RTP RECV
> 2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3134 Changing audio DTLS state from SETUP to READY
> 2018-05-04 22:38:30.450549 [DEBUG] switch_core_sqldb.c:2617 Secure Type: srtp:dtls:AES_CM_128_HMAC_SHA1_80
> 2018-05-04 22:38:30.450549 [DEBUG] switch_rtp.c:1885 rtcp_stats_init: audio ssrc[3910337773] base_seq[2433]
>
> Any ideas on how or where to change this to the desired encryption protocol?
>
> Jerry Chinn
> Telecom VoIP Specialist
> .
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180509/c037d8ca/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list