zhqiyi / webrtc2sip

Automatically exported from code.google.com/p/webrtc2sip
0 stars 0 forks source link

webrtc2sip b2bua failed to do digest auth for INVITE #90

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1.Configure sipML5 with RTCWeb Breaker enabled, non-secure WebSocket transport 
2.Register sipML5 through webrtc2sip proxy to Asterisk, digest auth passed and 
register OK. 
3.Call out from sipML5

What is the expected output? What do you see instead?

Expected:

Per webrtc2sip technical guide 
https://docs.google.com/viewer?url=http%3A%2F%2Fwebrtc2sip.org%2Ftechnical-guide
-1.0.pdf , Section 7 "Security issues":

1."sipML5 automatically use secure websocket (WSS) when RTCWeb
Breaker is enabled."
2. "The new INVITE request from the
b2bua could be challenged (SIP 401/407 response) by the remote SIP-legacy 
network", so webrtc2sip will use HA1 auth token from sipML5 to calculate the 
digest response

Actual:
1. sipML5 didn't AUTOMATICALLY use WSS (It is understandable because I didn't 
give sipML5 the secure web socket server URL)
2. New INVITE from b2bua with digest info was denied by Asterisk with 403 
Forbidden, saying auth fail from Asterisk console
3. I tried to give sipML5 the WSS URL, but when sipML5 initiated TLS client 
hello to webrtc2sip, webrtc2sip terminated the request saying "MSG: 
SSL_accept() failed with error code [1, error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher]". Looks like the cipher suite 
negotiation failed. But I used same brower (chrome) to access the apache HTTPS 
service on same machine, the negotiation is success. So don't know why 
webrtc2sip failed at this step.

What version of the product are you using? On what operating system?
webrtc2sip - Revision 87
sipML5
CentOS 6.4 x86_64
Chrome 26.0.1410.64 m
OpenSSL 1.0.1c

Please provide any additional information below.

I compared the OpenSSL cipher suites on webrtc2sip machine and the cipher 
suites provided by Chrome client, they have some match. So from this 
perspective webrtc2sip should accept Chrome's client hello. 

I will attach log files later for your reference.

Original issue reported on code.google.com by fuse...@gmail.com on 8 May 2013 at 6:00

GoogleCodeExporter commented 9 years ago
Attached logs

console-log-2013-05-08-02.log is webrtc2sip log, containing both non-secure 
websocket digest auth fail, and secure websocket initial fail.

sipml5_webrtc2sip_asterisk_tls1.1_fail.pcap is wireshark trace for secure 
websocket initial fail

Apache_cipher_success.pcap is the test to apache HTTPS server, which resides on 
the same machine with webrtc2sip

72.163.254.74 is asterisk
72.163.254.69 is webrtc2sip
10.140.6.73 is sipML5

Original comment by fuse...@gmail.com on 8 May 2013 at 12:14

Attachments:

GoogleCodeExporter commented 9 years ago
Close this issue. 

This issue caused by two points:
1. Digest auth failed: realm filled in sipml5 and realm configured in sip.conf 
of asterisk are not equal. When sipml5 go to register, this does not matter 
since sipml5 will receive 401 from asterisk and use the realm in 401 message. 
But when going to INVITE/401 step, webrtc2sip will use the realm in HA1 from 
sipml5 to fill in the re-INVITE, which is not equal to the realm in 401 
message. So digest auth failed;
2. Cipher mis-match: totally stupid since I didn't remove comments "!--" in 
config.xml, so no cert could be provided to webrtc2sip 

Original comment by fuse...@gmail.com on 10 May 2013 at 7:06

GoogleCodeExporter commented 9 years ago

Original comment by boss...@yahoo.fr on 24 May 2013 at 1:45

GoogleCodeExporter commented 9 years ago
Did it worked later? I have enabled but still cipher issue?

Copyright (C) 2012-2013 Doubango Telecom <http://www.doubango.org>
PRODUCT: webrtc2sip
HOME PAGE: http://webrtc2sip.org
LICENCE: GPLv3 or proprietary
VERSION: 2.6.0
'quit' to quit the application.
*******************************************************************

SSL is enabled :)
DTLS supported: yes
DTLS-SRTP supported: yes
***ERROR: function: "tnet_tls_socket_accept()"
file: "src/tls/tnet_tls.c"
line: "168"
MSG: SSL_accept() failed with error code [1, error:1408A0C1:SSL 
routines:ssl3_get_client_hello:no shared cipher]
***ERROR: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "708"
MSG: SSL_accept() failed
***ERROR: function: "tnet_transport_mainthread()"
file: "src/tnet_transport_poll.c"
line: "708"
MSG: (SYSTEM)NETWORK ERROR ==>Success

Original comment by joseph...@gmail.com on 2 Jun 2014 at 3:39

GoogleCodeExporter commented 9 years ago
Check https://code.google.com/p/webrtc2sip/issues/detail?id=157.
PS: You should set your debug level to INFO when reporting issues: 
https://code.google.com/p/webrtc2sip/wiki/FAQ#How_to_report_issue?

Original comment by boss...@yahoo.fr on 2 Jun 2014 at 4:00