Doesn't work in new Chrome 52

[AleksMeshkov]

Hello! Since my browser have updated to the latest ver of Chrome (with material design) WebRTC doesn't work anymore. Here's what I've got in the Asterisk CLI

Any ideas?

Thanks.

0x7f99f4c51520 -- Probation passed - setting RTP source address to 10.8.0.14:19622 [Jul 21 09:22:47] ERROR[17583][C-00000d86]: res_rtp_asterisk.c:2172 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f99f49d4fd8' due to reason 'sslv3 alert handshake failure', terminating [Jul 21 09:22:47] WARNING[17583][C-00000d86]: res_rtp_asterisk.c:4048 ast_rtcp_read: RTCP Read error: Unspecified. Hanging up.

[roginvs]

Try to build latest asterisk version on your branch (11th or 13th) from sources

[AleksMeshkov]

Thanks for reply, @roginvs! Should I try this even if built asterisk 13 from sources about a week ago?

UPD: I've just downloaded asterisk-13-current.tar.gz from official site and compared archive size with the archive I downloaded a week ago. They're the same (

[AleksMeshkov]

Anyway sipml5 still does work with Yandex Broswer (built on Chromium though).

[roginvs]

I have everything working (both incoming and outgoing). Windows 10, Chrome 52.0.2743.82 m, Asterisk 13.9.1 build from source on Ubuntu 16.04, OpenSSL version 1.0.2g-fips (from repository), PJSIP for webrtc. By the way, maybe you have older openssl. Also I am using my own patched version of sipml5 with some workarounds, but I do not think that this somehow affecting your issue.

[AleksMeshkov]

What about wss server? Do you use asterisk http server with TLS (8089 port) or do you have an nginx reverse proxy for that (like I do)?

[roginvs]

I am using asterisk TLS server. This should not be a difference because WS/WSS is only control connection. PS: I have same issue now on asterisk 11 + openssl 1.0.1f , thank you for paying attention on this.

[AleksMeshkov]

Regarding OpenSSL. Just have done apt-upgrade. No significant updates.

I have a central server (13.9.1) and trunks with asterisk 11 on the other end. Main server proxies (dials) and records calls across the trunks. May be this issue is about asterisk 11 instances?

Still think this is somehow related with sipML5 lib

[roginvs]

Just updated openssl to 1.0.2g-fips version on one of my node and rebuilt asterisk 11.22.0 [maybe rebuild step is not needed - I am not sure how openssl is linked to asterisk, statically or dynamically, maybe just restart of asterisk will be sufficient] . After this webrtc started to work with asterisk 11.

[AleksMeshkov]

Thanks for the tip! I'll try to upgrade one of my trunk nodes to 13 branch and we'll see if it helps.

[ijasnahamed]

I am also facing same issue. I am using Chrome v54 and asterisk 13.3.2. I have updated openssl to 1.0.2g and restarted asterisk, but still problem persists. Does any one help me without rebuilding asterisk.

[roginvs]

@ijasnahamed , what do you mean by "reinstalling"? Even to build an asterisk from source is not a rocket science.

[ijasnahamed]

@roginvs I mean is there any way without that? Once i tried rebuilding asterisk and it was a failure. That's the reason i mean that way. Currently i have many projects working with asterisk and webrtc as backend.

[roginvs]

@ijasnahamed , as I wrote I am not sure. I can say my experience - I rebuild asterisk because I wanted to make it working. Also it is good to have our own build of asterisk because you always can have the most up-to-date version

[ijasnahamed]

@roginvs i had updated my openssl referring this. Also rebuild my asterisk 13.2.2. But still i am getting same error in asterisk.

This is my extension detail [6001] host=dynamic secret=1234 context=from-internal type=friend encryption=yes avpf=yes force_avp=yes icesupport=yes directmedia=no disallow=all allow=ulaw,ws dtlsenable=yes dtlsverify=fingerprint ;dtlsverify=no dtlscertfile=/etc/asterisk/keys/asterisk.pem dtlscafile=/etc/asterisk/keys/ca.crt dtlssetup=actpass nat=yes

generated cert file using below command sudo ./ast_tls_cert -C pbx.mycompany.com -O "My Super Company" -d /etc/asterisk/keys

[roginvs]

@ijasnahamed , try to make certificates with 4096 bits length (instead of 1024). Just change 1024 to 4096 inside ast_tls_cert script and regenerate new certificates.

[ijasnahamed]

@roginvs Tried with 4096 bit certificates. But still get same error

res_rtp_asterisk.c:2042 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f179c007048' due to reason 'sslv3 alert handshake failure', terminating

[roginvs]

@ijasnahamed , the error you wrote is about old openssl. Maybe manually installed openssl conflicts with packaged version and asterisk picking up the old one. Maybe ldconfig will help. Also you can try to remove packaged openssl (apt-get remove libssl-dev openssl) and reinstall new openssl manually once again. But the simplest way is to upgrade to Ubuntu 16.04. I do not know about 12th Ubuntu, but on 14th Ubuntu I successfully added 16th repositories and updated only openssl (with dependencies), and then changed repositories back to 14th branch. That worked for me.

[ijasnahamed]

@roginvs Removed both libssl-dev and openssl and rebuild openssl from source as said above. Created new asterisk keys and tried the call, it fails. Can you tell how it can be changed using Idconfig? Also upgrade to 16.04 method. I am using 14.04 ubuntu. So i can try that method too.

[roginvs]

@ijasnahamed , is error the same? Let's check openssl version via this commands:

# ldd /usr/sbin/asterisk  | grep libssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f33ce117000)
# strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep 1.0.2
OPENSSL_1.0.2
OPENSSL_1.0.2g
SSLv3 part of OpenSSL 1.0.2g-fips  1 Mar 2016
TLSv1 part of OpenSSL 1.0.2g-fips  1 Mar 2016
DTLSv1 part of OpenSSL 1.0.2g-fips  1 Mar 2016
OpenSSL 1.0.2g-fips  1 Mar 2016

To update openssl on Ubuntu 14:

echo 'deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse' > /etc/apt/sources.list.d/xenial.list
aptitude update
aptitude install -y openssl libssl-dev
rm /etc/apt/sources.list.d/xenial.list
aptitude update

[ijasnahamed]

@roginvs I am getting the same error

Here's my command results:

# ldd /usr/sbin/asterisk  | grep libssl
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f57a321d000)

# strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep 1.0.2
No result

# strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep 1.0.1
OPENSSL_1.0.1
OPENSSL_1.0.1d
SSLv3 part of OpenSSL 1.0.1f 6 Jan 2014
TLSv1 part of OpenSSL 1.0.1f 6 Jan 2014
DTLSv1 part of OpenSSL 1.0.1f 6 Jan 2014
OpenSSL 1.0.1f 6 Jan 2014

# openssl version
OpenSSL 1.0.1t  3 May 2016

I think openssl is not upgraded.

[ijasnahamed]

@roginvs upgraded openssl using your commands and it was success. Now openssl is upgraded and now call doesn't drop when playing audio. Thanks a lot man.

[AleksMeshkov]

Confirm. Upgrading openssl to the latest version resolved the issue. In my case I just did "do-release-upgrade"

@roginvs thank you for the help!