I tried it but it didn’t work. The problem from my side is that the Openssl don’t add usr_srtp to my client hello and so the backend (Linphone) doesn’t start the media Stream with srtp. Best regards Harald
From: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> On Behalf Of
Skale Franz As i stated before, Only if you apply my patch, the bundled SRTP library will support AES GCP ciphers ! Look at the symbols i provided. Again: Symbols: nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl' I now compiled the bundled lib (debian 8) with no issue when applying my patch. So the core developers should take a look at the config_srtp.h. Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx> im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx> Hi Franz The problem from my side is not the compilation of pjProject. I think its true that OpenSSL1.0.2h supports AES GCM but not for SRTP. My Problem is that when I want to establish a call the DTLS Hello Client message
includes not extension for “use_srtp” because of the case that openssl not support gcm for srtp. Best regards Harald From: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx>
On Behalf Of Skale Franz Hi Harald, state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong. Check the Changelog for details. It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers: snippet: e.g. srtp.c at the header it begins: #ifdef OPENSSL The current srtp_config.h doesn't honor the PJSIP AES flags at all. To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support ! libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1. Best regards Franz Skale
Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx>
im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx> Hi Franz Thanks for your answer. I was yesterday able to compile everything fine with –with-ssl but it doesn’t work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h. We can see on the latest code (OpenSSL/d1_srtp.c here), it supports AES_GCM. However, on 1.0.2h it doesn't have that. But I will try the solution with the defines in libsrtp config and will give you a feedback! Best regards Harald From: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx>
On Behalf Of Skale Franz Hi Harald, libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL ! I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available. There are two issues here, 1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it. 2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib. Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1). Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols. TRY !!!: add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !) #if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0) I used these config_site.h flags: /*SRTP CIPHERS */ Be sure to use --with-ssl at configure time. I was able to compile but not to test, so please report back ! Symbols: nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl' Best regards
Von: pjsip <pjsip-bounces@xxxxxxxxxxxxxxx>
im Auftrag von Schuster Harald <hsc@xxxxxxxxxxxxxxxxxxxx> Hi I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself.
A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp”
extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use –with-ssl so that the installation of openssl is checked. config_site.h #define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL #define PJ_HAS_SSL_SOCK 1 #define PJMEDIA_HAS_SRTP 1 #define PJMEDIA_SRTP_HAS_SDES 1 #define PJMEDIA_SRTP_HAS_DTLS 1 #define PJMEDIA_SRTP_HAS_AES_CM_256 1 #define PJMEDIA_SRTP_HAS_AES_CM_128 1 #define PJMEDIA_SRTP_HAS_AES_GCM_256 1 #define PJMEDIA_SRTP_HAS_AES_GCM_128 1 PJ Logs: 2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO) 2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO) Configure: checking for OpenSSL installations.. pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes Best regards Harald |
_______________________________________________ Visit our blog: http://blog.pjsip.org pjsip mailing list pjsip@xxxxxxxxxxxxxxx http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org