Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-23689

DTLS Fingerprint blank

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 16.0.21
    • Fix Version/s: None
    • Labels:
      None
    • ToDo:
    • Asterisk Version:
      18.9
    • Distro Version:
      16.0.21.9(18.6.0)
    • Distro:
      FreePBX Distro

      Description

      I have 2 near identical servers (Server #1 and Server #2). On both, updated with latest versions the SHA:256 fingerprint is blank when replying to a `INVITE` request. This causes the SIP clients to fail to authenticate because it's an invalid parameter.

      When comparing the same client software with another FreePBX server that has not renewed certificate recently (Server #3), it works fine. The issue lies with the FreePBX server.

      Logs from Server #2:

      {noformat}
      <--- Received SIP request (2761 bytes) from WSS:xxxxx:51645 --->
      INVITE sip:*43@unknown SIP/2.0
      Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;branch=z9hG4bK8409331
      To: <sip:*43@unknown>
      From: "xxxxx" <sip:190@xxxxx>;tag=4b0m8ufurh
      CSeq: 2 INVITE
      Call-ID: sm1foo9bal78hqup6j5h
      Max-Forwards: 70
      Authorization: Digest algorithm=MD5, username="190", realm="asterisk", nonce="xxxxx", uri="sip:*43@unknown", response="xxxxx", opaque="xxxxx", qop=auth, cnonce="xxxxx", nc=00000001
      Contact: <sip:e79gd913@5di3fd8l7bul.invalid;transport=ws;ob>
      Allow: ACK,CANCEL,INVITE,MESSAGE,BYE,OPTIONS,INFO,NOTIFY,REFER
      Supported: outbound
      User-Agent: SIP.js/0.20.0
      Content-Type: application/sdp
      Content-Length: 2018

      v=0
      o=- 8629799328462050506 2 IN IP4 127.0.0.1
      s=-
      t=0 0
      a=group:BUNDLE 0
      a=extmap-allow-mixed
      a=msid-semantic: WMS ec9c01b4-edeb-425d-aef7-e3524a05fcc8
      m=audio 62551 UDP/TLS/RTP/SAVPF 111 63 103 104 9 0 8 106 105 13 110 112 113 126
      c=IN IP4 xxxxx
      a=rtcp:9 IN IP4 0.0.0.0
      a=candidate:4252876256 1 udp 2122260223 192.168.0.194 62551 typ host generation 0 network-id 1
      a=candidate:3851926045 1 udp 2122194687 172.31.192.1 62552 typ host generation 0 network-id 2
      a=candidate:2083896148 1 udp 1686052607 xxxxx 62551 typ srflx raddr 192.168.0.194 rport 62551 generation 0 network-id 1
      a=candidate:3019784464 1 tcp 1518280447 192.168.0.194 9 typ host tcptype active generation 0 network-id 1
      a=candidate:2870232813 1 tcp 1518214911 172.31.192.1 9 typ host tcptype active generation 0 network-id 2
      a=ice-ufrag:YI3c
      a=ice-pwd:lVNUZyD0tKYUwFLXEzw/3Lvv
      a=ice-options:trickle
      a=fingerprint:sha-256 8B:0A:58:A6:D3:4C:D7:F6:2E:C2:82:0E:0F:BF:35:4E:A2:E9:BD:9E:13:23:A3:6D:24:41:BA:9C:22:10:78:E6
      a=setup:actpass
      a=mid:0
      a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
      a=extmap:2 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
      a=extmap:3 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
      a=extmap:4 urn:ietf:params:rtp-hdrext:sdes:mid
      a=sendrecv
      a=msid:ec9c01b4-edeb-425d-aef7-e3524a05fcc8 50cda3f5-06de-425c-b0ef-c1051a9c264d
      a=rtcp-mux
      a=rtpmap:111 opus/48000/2
      a=rtcp-fb:111 transport-cc
      a=fmtp:111 minptime=10;useinbandfec=1
      a=rtpmap:63 red/48000/2
      a=fmtp:63 111/111
      a=rtpmap:103 ISAC/16000
      a=rtpmap:104 ISAC/32000
      a=rtpmap:9 G722/8000
      a=rtpmap:0 PCMU/8000
      a=rtpmap:8 PCMA/8000
      a=rtpmap:106 CN/32000
      a=rtpmap:105 CN/16000
      a=rtpmap:13 CN/8000
      a=rtpmap:110 telephone-event/48000
      a=rtpmap:112 telephone-event/32000
      a=rtpmap:113 telephone-event/16000
      a=rtpmap:126 telephone-event/8000
      a=ssrc:3402883931 cname:178tS6W5au4mt0iH
      a=ssrc:3402883931 msid:ec9c01b4-edeb-425d-aef7-e3524a05fcc8 50cda3f5-06de-425c-b0ef-c1051a9c264d

      <--- Transmitting SIP response (307 bytes) to WSS:xxxxx:51645 --->
      SIP/2.0 100 Trying
      Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;rport=51645;received=xxxxx;branch=z9hG4bK8409331
      Call-ID: sm1foo9bal78hqup6j5h
      From: "xxxxx" <sip:190@xxxxx>;tag=4b0m8ufurh
      To: <sip:*43@unknown>
      CSeq: 2 INVITE
      Server: FPBX-16.0.21.9(18.9)
      Content-Length: 0


      == Using SIP RTP Audio TOS bits 184
      == Using SIP RTP Audio CoS mark 5
      == DTLS ECDH initialized (automatic), faster PFS enabled
      – Executing [*43@from-internal:1] Set("PJSIP/190-00000001", "CONNECTEDLINE(name-charset,i)=utf8") in new stack
      – Executing [*43@from-internal:2] Set("PJSIP/190-00000001", "CONNECTEDLINE(name,i)=Echo Test") in new stack
      – Executing [*43@from-internal:3] Set("PJSIP/190-00000001", "CONNECTEDLINE(num,i)=*43") in new stack
      – Executing [*43@from-internal:4] Answer("PJSIP/190-00000001", "") in new stack
      <--- Transmitting SIP response (1259 bytes) to WSS:xxxxx:51645 --->
      SIP/2.0 200 OK
      Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;rport=51645;received=xxxxx;branch=z9hG4bK8409331
      Call-ID: sm1foo9bal78hqup6j5h
      From: "Driver 9999" <sip:190@xxxxx>;tag=4b0m8ufurh
      To: <sip:*43@unknown>;tag=b51dac75-3ee5-49e9-9c01-bcdda7a6756c
      CSeq: 2 INVITE
      Server: FPBX-16.0.21.9(18.9)
      Contact: <sip:172.31.37.32:8089;transport=ws>
      Allow: OPTIONS, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, MESSAGE, REFER
      Supported: 100rel, timer, replaces, norefersub
      P-Asserted-Identity: "Echo Test" <sip:*43@unknown>
      Content-Type: application/sdp
      Content-Length: 623

      v=0
      o=- 1071813834 4 IN IP4 172.31.37.32
      s=Asterisk
      c=IN IP4 172.31.37.32
      t=0 0
      a=group:BUNDLE 0
      m=audio 11472 UDP/TLS/RTP/SAVPF 0 8
      a=connection:new
      a=setup:active
      a=fingerprint:SHA-256
      a=ice-ufrag:31bd2610556135cd6ce4f01f00019b57
      a=ice-pwd:34a42eda7775318608d28d454d4aeea0
      a=candidate:Hac1f2520 1 UDP 2130706431 172.31.37.32 11472 typ host
      a=candidate:S12dbda5e 1 UDP 1694498815 18.219.218.94 11472 typ srflx raddr 172.31.37.32 rport 11472
      a=rtpmap:0 PCMU/8000
      a=rtpmap:8 PCMA/8000
      a=ptime:20
      a=maxptime:150
      a=sendrecv
      a=rtcp-mux
      a=ssrc:930260978 cname:075d7d96-f80e-4d71-954f-ff0564393e2b
      a=mid:0{noformat}

      You'll notice the server response has `a=fingerprint:SHA-256` with no data after, meaning it's impossible to verify. I have a third server that hasn't been renewed and comparing the SIP messages, this is only meaningful difference. Server #3 on a different domain does report a SHA256 fingerprint hash, where as Server #1 and #2 do not.

      Clients are able to register and that works fine, and in those requests, because they don't use fingerprinting. The SIP.JS error when dialing is obvious considering the field is blank:

      >Failed to execute 'setRemoteDescription' on 'RTCPeerConnection': Failed to parse SessionDescription. a=fingerprint:SHA-256 Failed to create fingerprint from the digest.

      The only thing I can remember doing was renewing the LetsEncrypt certificate. Note that connection to wss://server:8089/ws is fine meaning the certificate is valid. Also registration works.

      What I've tried:

      • Updating FreePBX to latest
      • Updating Asterisk 18.9 from 18.6
      • Performing an inplace install of Asterisk 18 Certified
      • Force reinstalling certificate

      I'm flagging this critical since no calls can be made from the system over WebRTC.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ShortFuse United States
                  Reporter:
                  ShortFuse United States
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    NextupJiraPlusStatus

                    Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.