SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn't work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no "use_srtp" extension. It stops with the "heartbeat" extension. When AES_GCM is removed the "use_srtp" extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use -with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip pjsip-bounces@lists.pjsip.org im Auftrag von Schuster Harald hsc@mission-embedded.com
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp” extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use –with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
Hi Franz
Thanks for your answer. I was yesterday able to compile everything fine with -with-ssl but it doesn't work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.
We can see on the latest code (OpenSSL/d1_srtp.c herehttps://github.com/openssl/openssl/blob/master/ssl/d1_srtp.c#L22), it supports AES_GCM. However, on 1.0.2h it doesn't have that.
But I will try the solution with the defines in libsrtp config and will give you a feedback!
Best regards
Harald
From: pjsip pjsip-bounces@lists.pjsip.org On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To: pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[cid:~WRD0000.jpg]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip pjsip-bounces@lists.pjsip.org im Auftrag von Schuster Harald hsc@mission-embedded.com
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn't work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no "use_srtp" extension. It stops with the "heartbeat" extension. When AES_GCM is removed the "use_srtp" extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use -with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
Hi Harald,
state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong.
Check the Changelog for details.
It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers:
snippet:
e.g. srtp.c at the header it begins:
#ifdef OPENSSL
#include "aes_gcm_ossl.h" /* for AES GCM mode */
ifdef OPENSSL_KDF
include <openssl/kdf.h>
include "aes_icm_ossl.h" /* for AES GCM mode */
endif
The current srtp_config.h doesn't honor the PJSIP AES flags at all.
To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support !
libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1.
Best regards
Franz Skale
Rechenzentrum-Services
[https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip pjsip-bounces@lists.pjsip.org im Auftrag von Schuster Harald hsc@mission-embedded.com
Gesendet: Donnerstag, 12. Dezember 2019 10:11
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
Thanks for your answer. I was yesterday able to compile everything fine with –with-ssl but it doesn’t work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.
We can see on the latest code (OpenSSL/d1_srtp.c herehttps://github.com/openssl/openssl/blob/master/ssl/d1_srtp.c#L22), it supports AES_GCM. However, on 1.0.2h it doesn't have that.
But I will try the solution with the defines in libsrtp config and will give you a feedback!
Best regards
Harald
From: pjsip pjsip-bounces@lists.pjsip.org On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To: pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[cid:~WRD0000.jpg]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip pjsip-bounces@lists.pjsip.org im Auftrag von Schuster Harald hsc@mission-embedded.com
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp” extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use –with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
Hi Franz
The problem from my side is not the compilation of pjProject. I think its true that OpenSSL1.0.2h supports AES GCM but not for SRTP. My Problem is that when I want to establish a call the DTLS Hello Client message includes not extension for "use_srtp" because of the case that openssl not support gcm for srtp.
Best regards
Harald
From: pjsip pjsip-bounces@lists.pjsip.org On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 11:57 AM
To: pjsip list pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong.
Check the Changelog for details.
It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers:
snippet:
e.g. srtp.c at the header it begins:
#ifdef OPENSSL
#include "aes_gcm_ossl.h" /* for AES GCM mode */
ifdef OPENSSL_KDF
include <openssl/kdf.h>
include "aes_icm_ossl.h" /* for AES GCM mode */
endif
The current srtp_config.h doesn't honor the PJSIP AES flags at all.
To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support !
libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1.
Best regards
Franz Skale
Rechenzentrum-Services
[https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Donnerstag, 12. Dezember 2019 10:11
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
Thanks for your answer. I was yesterday able to compile everything fine with -with-ssl but it doesn't work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.
We can see on the latest code (OpenSSL/d1_srtp.c herehttps://github.com/openssl/openssl/blob/master/ssl/d1_srtp.c#L22), it supports AES_GCM. However, on 1.0.2h it doesn't have that.
But I will try the solution with the defines in libsrtp config and will give you a feedback!
Best regards
Harald
From: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[cid:image001.jpg@01D5B0E8.2EDB8FA0]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn't work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no "use_srtp" extension. It stops with the "heartbeat" extension. When AES_GCM is removed the "use_srtp" extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use -with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
As i stated before,
Only if you apply my patch, the bundled SRTP library will support AES GCP ciphers !
Look at the symbols i provided.
Again:
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
I now compiled the bundled lib (debian 8) with no issue when applying my patch.
So the core developers should take a look at the config_srtp.h.
Von: pjsip pjsip-bounces@lists.pjsip.org im Auftrag von Schuster Harald hsc@mission-embedded.com
Gesendet: Donnerstag, 12. Dezember 2019 13:26
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
The problem from my side is not the compilation of pjProject. I think its true that OpenSSL1.0.2h supports AES GCM but not for SRTP. My Problem is that when I want to establish a call the DTLS Hello Client message includes not extension for “use_srtp” because of the case that openssl not support gcm for srtp.
Best regards
Harald
From: pjsip pjsip-bounces@lists.pjsip.org On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 11:57 AM
To: pjsip list pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong.
Check the Changelog for details.
It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers:
snippet:
e.g. srtp.c at the header it begins:
#ifdef OPENSSL
#include "aes_gcm_ossl.h" /* for AES GCM mode */
ifdef OPENSSL_KDF
include <openssl/kdf.h>
include "aes_icm_ossl.h" /* for AES GCM mode */
endif
The current srtp_config.h doesn't honor the PJSIP AES flags at all.
To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support !
libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1.
Best regards
Franz Skale
Rechenzentrum-Services
[https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Donnerstag, 12. Dezember 2019 10:11
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
Thanks for your answer. I was yesterday able to compile everything fine with –with-ssl but it doesn’t work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.
We can see on the latest code (OpenSSL/d1_srtp.c herehttps://github.com/openssl/openssl/blob/master/ssl/d1_srtp.c#L22), it supports AES_GCM. However, on 1.0.2h it doesn't have that.
But I will try the solution with the defines in libsrtp config and will give you a feedback!
Best regards
Harald
From: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[cid:image001.jpg@01D5B0E8.2EDB8FA0]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn’t work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no “use_srtp” extension. It stops with the “heartbeat” extension. When AES_GCM is removed the “use_srtp” extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use –with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
I tried it but it didn't work. The problem from my side is that the Openssl don't add usr_srtp to my client hello and so the backend (Linphone) doesn't start the media Stream with srtp.
Best regards
Harald
From: pjsip pjsip-bounces@lists.pjsip.org On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 2:12 PM
To: pjsip list pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
As i stated before,
Only if you apply my patch, the bundled SRTP library will support AES GCP ciphers !
Look at the symbols i provided.
Again:
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
I now compiled the bundled lib (debian 8) with no issue when applying my patch.
So the core developers should take a look at the config_srtp.h.
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Donnerstag, 12. Dezember 2019 13:26
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
The problem from my side is not the compilation of pjProject. I think its true that OpenSSL1.0.2h supports AES GCM but not for SRTP. My Problem is that when I want to establish a call the DTLS Hello Client message includes not extension for "use_srtp" because of the case that openssl not support gcm for srtp.
Best regards
Harald
From: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 11:57 AM
To: pjsip list <pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org>
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
state statement, that openssl 1.0.2h won't support or even has a problem with AES_GCM ciphers is wrong.
Check the Changelog for details.
It's clear to me, that omitting the "#define OPENSSL 1", librtc won't include the AES_GCM ciphers:
snippet:
e.g. srtp.c at the header it begins:
#ifdef OPENSSL
#include "aes_gcm_ossl.h" /* for AES GCM mode */
ifdef OPENSSL_KDF
include <openssl/kdf.h>
include "aes_icm_ossl.h" /* for AES GCM mode */
endif
The current srtp_config.h doesn't honor the PJSIP AES flags at all.
To overcome such situations i strongly recommend to use and updat2date OS (e.g. Debian 10) and external-lib support !
libsrtp in the bundled source is a prerelease whenreas DEBIAN provides a well maintained version 2.2.0-1.
Best regards
Franz Skale
Rechenzentrum-Services
[https://www.citycom-austria.com/rel2018/wp-content/themes/citycom/assets/img/citycom_logo.png]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Donnerstag, 12. Dezember 2019 10:11
An: pjsip list
Betreff: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Franz
Thanks for your answer. I was yesterday able to compile everything fine with -with-ssl but it doesn't work and the developer from PjProject wrote me that it is a problem with OpenSSL 1.0.2h.
We can see on the latest code (OpenSSL/d1_srtp.c herehttps://github.com/openssl/openssl/blob/master/ssl/d1_srtp.c#L22), it supports AES_GCM. However, on 1.0.2h it doesn't have that.
But I will try the solution with the defines in libsrtp config and will give you a feedback!
Best regards
Harald
From: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> On Behalf Of Skale Franz
Sent: Thursday, December 12, 2019 9:34 AM
To: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Subject: Re: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi Harald,
libsrtp requires to have OPENSSL defined, but the srtp_config.h lacks of an ifdef to check, whether PJSIP was configured to use OPENSSL !
I also don't understand, why i have to add the configure flag --with-ssl when it should be autoconfigured when available.
There are two issues here,
1.) The core developers should outline in the docs how to enable DTLS GCM support as well as config.h options needed to enable it.
2.) The core developers should check the aconfigure.ac why i have to supply --with-ssl to enable gcm cipher support in the srtp lib.
Without --with-ssl, the buildprocess won't complete as there are unresovled symbols (No define of OPENSSL 1).
Libsrtp NEEDS "#define OPENSSL 1" to include gcm cipher support or it will fail with unresolved symbols.
TRY !!!:
add these lines to the file build/srtp/srtp_config.h (NO LINEBREAKS !!! in the if defined clause !)
#if defined(PJMEDIA_SRTP_HAS_AES_GCM_128)&&(PJMEDIA_SRTP_HAS_AES_GCM_128!=0)||defined(PJMEDIA_SRTP_HAS_AES_GCM_256)&&(PJMEDIA_SRTP_HAS_AES_GCM_256!=0)
#define OPENSSL 1
#endif
I used these config_site.h flags:
/*SRTP CIPHERS */
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
Be sure to use --with-ssl at configure time.
I was able to compile but not to test, so please report back !
Symbols:
nm libsrtp.so.2 |egrep -i 'srtp_aes_gcm_128_openssl|srtp_aes_gcm_256_openssl'
0000000000014600 D srtp_aes_gcm_128_openssl
000000000000f720 r srtp_aes_gcm_128_openssl_description
00000000000145a0 D srtp_aes_gcm_256_openssl
000000000000f700 r srtp_aes_gcm_256_openssl_description
Best regards
Franz Skale
Rechenzentrum-Services
[cid:image001.jpg@01D5B0E8.2EDB8FA0]
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
Von: pjsip <pjsip-bounces@lists.pjsip.orgmailto:pjsip-bounces@lists.pjsip.org> im Auftrag von Schuster Harald <hsc@mission-embedded.commailto:hsc@mission-embedded.com>
Gesendet: Mittwoch, 11. Dezember 2019 20:30
An: pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
Betreff: [pjsip] SRTP DTLS with AES GCM 128 --> no SRTP Stream
Hi
I am using a setup with PjProject 2.9 and OpenSSL 1.0.2h. I have the following config_site.h file. I use the LinPhone to test my own device and to establish a call. My device does never establish a call by himself. A normal call and a call with SRTP works fine but a call with DTLS doesn't work. When the two lines with AES_GCM are removed from the config also the DTLS call works.
I saw in the wireshark trace that the hello client message that is send from my device with pjproject has no "use_srtp" extension. It stops with the "heartbeat" extension. When AES_GCM is removed the "use_srtp" extension exists. Is this a problem with the usage of openssl1.0.2h or is there any error in the configuration?! Does somebody knows this behavior?
In the makefile is use -with-ssl so that the installation of openssl is checked.
config_site.h
#define PJ_SSL_SOCK_IMP PJ_SSL_SOCK_IMP_OPENSSL
#define PJ_HAS_SSL_SOCK 1
#define PJMEDIA_HAS_SRTP 1
#define PJMEDIA_SRTP_HAS_SDES 1
#define PJMEDIA_SRTP_HAS_DTLS 1
#define PJMEDIA_SRTP_HAS_AES_CM_256 1
#define PJMEDIA_SRTP_HAS_AES_CM_128 1
#define PJMEDIA_SRTP_HAS_AES_GCM_256 1
#define PJMEDIA_SRTP_HAS_AES_GCM_128 1
PJ Logs:
2019-12-11 14:32:57.095170: [debug] dtls0x74213f40 !Failed to get SRTP material: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
2019-12-11 14:32:57.095349: [debug] pjsua_media.c Call 0: Media 0: SRTP negotiation completes: No matching SRTP crypto-suite after DTLS nego (PJMEDIA_SRTP_DTLS_ENOCRYPTO)
Configure:
checking for OpenSSL installations..
pjproject-2.9-r2 do_configure: checking openssl/ssl.h usability...
pjproject-2.9-r2 do_configure: yes
checking openssl/ssl.h presence...
pjproject-2.9-r2 do_configure: yes
checking for openssl/ssl.h...
pjproject-2.9-r2 do_configure: yes
checking for ERR_load_BIO_strings in -lcrypto...
pjproject-2.9-r2 do_configure: yes
checking for SSL_CTX_new in -lssl...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL library found, SSL support enabled
pjproject-2.9-r2 do_configure: checking for EVP_aes_128_gcm in -lcrypto...
pjproject-2.9-r2 do_configure: yes
pjproject-2.9-r2 do_configure: OpenSSL has AES GCM support, SRTP will use OpenSSL
pjproject-2.9-r2 do_configure: Checking if OpenCORE AMR support is disabled... yes
Best regards
Harald
