From: Sean Bright Date: Mon, 23 Oct 2023 19:53:08 +0000 (-0400) Subject: pjsip_configuration.c: Disable DTLS renegotiation if WebRTC is enabled. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7afd5357c9e1ec5d779d04391b52e77f2513b59;p=thirdparty%2Fasterisk.git pjsip_configuration.c: Disable DTLS renegotiation if WebRTC is enabled. Per RFC8827: Implementations MUST NOT implement DTLS renegotiation and MUST reject it with a "no_renegotiation" alert if offered. So we disable it when webrtc=yes is set. Fixes #378 UpgradeNote: The dtls_rekey will be disabled if webrtc support is requested on an endpoint. A warning will also be emitted. --- diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c index ea62187f49..613d06fa52 100644 --- a/res/res_pjsip/pjsip_configuration.c +++ b/res/res_pjsip/pjsip_configuration.c @@ -1589,6 +1589,13 @@ static int sip_endpoint_apply_handler(const struct ast_sorcery *sorcery, void *o endpoint->media.rtp.dtls_cfg.default_setup = AST_RTP_DTLS_SETUP_ACTPASS; endpoint->media.rtp.dtls_cfg.verify = AST_RTP_DTLS_VERIFY_FINGERPRINT; + /* RFC8827 says: Implementations MUST NOT implement DTLS renegotiation + * and MUST reject it with a "no_renegotiation" alert if offered. */ + if (endpoint->media.rtp.dtls_cfg.rekey) { + ast_log(LOG_WARNING, "DTLS renegotiation is not supported with WebRTC. Disabling dtls_rekey.\n"); + endpoint->media.rtp.dtls_cfg.rekey = 0; + } + if (ast_strlen_zero(endpoint->media.rtp.dtls_cfg.certfile)) { /* If no certificate has been specified, try to automatically create one */ endpoint->media.rtp.dtls_cfg.ephemeral_cert = 1;