[Freeswitch-users] WebRTC using rtp_sdes_suites=AES_CM_128_HMAC_SHA1_80
Jerry Chinn
JHChinn at TheNavisWay.com
Wed May 9 19:54:25 UTC 2018
Michael,
Thanks for answering my question.
Since the SHA-1 hash function is considered vulnerable, will there be an effort to modify the hard coded entry to one that isn't as vulnerable?
Starting with version 56, Google Chrome will mark all SHA-1-signed HTTPS certificates as unsafe. Other major browser vendors plan to do the same.
Since we are using this for WebRTC it seems that a modification to the code is warranted.
Your thoughts?
Jerry Chinn
Telecom VoIP Specialist
NAVIS More Performance. More Profit.
tel 541-330-3562
www.TheNavisWay.com<http://www.thenavisway.com/>
Facebook<https://www.facebook.com/theNAVISway/> | Twitter<https://twitter.com/NAVISway> | LinkedIn<https://www.linkedin.com/company/navisway> | Blog<https://www.thenavisway.com/blog>
From: FreeSWITCH-users [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Michael Jerris
Sent: Wednesday, May 09, 2018 12:02 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] WebRTC using rtp_sdes_suites=AES_CM_128_HMAC_SHA1_80
on DTLS this setting is currently a no-op and the suites it uses are hard coded.
On May 9, 2018, at 2:21 PM, Mirko Brankovic <mirkobrankovic at gmail.com<mailto:mirkobrankovic at gmail.com>> wrote:
Hi,
I had a same problem.
Was debugging a different handshake problem, and wanted to try other chipers, but failed.
Looks like the setting is not applied at all, and would be nice to use cheeper (network wise) encroption
On Wed, May 9, 2018, 00:52 Aqs Younas <aqsyounas at gmail.com<mailto:aqsyounas at gmail.com>> wrote:
I would also be interested to know if you make this work.
Best Regards,
Aqs Younas
On 8 May 2018 at 22:11, Jerry Chinn <JHChinn at thenavisway.com<mailto:JHChinn at thenavisway.com>> wrote:
Good Day,
Running FS 1.6.17 on CentOS 7.4
We are running WebRTC and are required to use AEAD_AES_256_GCM_8 or AEAD_AES_128_GCM_8 for security.
I have eliminated all of the options in the vars file except rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8.
Calls are successfully completing, however, in debug we are seeing AES_CM_128_HMAC_SHA1_80 as the sdes suite for srtp:dtls.
2018-05-04 22:38:30.429310 [INFO] switch_rtp.c:3185 Changing audio DTLS state from HANDSHAKE to SETUP
2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3094 audio Fingerprint Verified.
2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3908 Activating audio Secure RTP SEND
2018-05-04 22:38:30.450549 [DEBUG] switch_core_sqldb.c:2617 Secure Type: srtp:dtls:AES_CM_128_HMAC_SHA1_80
2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3886 Activating audio Secure RTP RECV
2018-05-04 22:38:30.450549 [INFO] switch_rtp.c:3134 Changing audio DTLS state from SETUP to READY
2018-05-04 22:38:30.450549 [DEBUG] switch_core_sqldb.c:2617 Secure Type: srtp:dtls:AES_CM_128_HMAC_SHA1_80
2018-05-04 22:38:30.450549 [DEBUG] switch_rtp.c:1885 rtcp_stats_init: audio ssrc[3910337773] base_seq[2433]
Any ideas on how or where to change this to the desired encryption protocol?
Jerry Chinn
Telecom VoIP Specialist
.
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/>
Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/>
http://confluence.freeswitch.org<http://confluence.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/>
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/>
Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/>
http://confluence.freeswitch.org<http://confluence.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/>
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/>
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180509/640a69f9/attachment.html>
More information about the FreeSWITCH-users
mailing list