failed to self-sign certificate (Cannot allocate memory) #1056
Comments
|
Can you provide further details? Like OS/Distro and especially the OpenSSL version? |
|
--- System info: --- OS:/Distro: Ubunti under WSL. OpenSSL 1.1.1f |
|
the source of the error is: the RSA key generated is 1024, but your version of openssl requires 2048 bits or more: see libre tls_set_selfsigned: you can try to change the keysize to 2048 and see if that helps. as a workaround you can also try to change the SECLEVEL in openssl.cnf: https://serverfault.com/questions/957931/openssl-allow-usage-of-insecure-client-certs |
|
Changed tls.c from 1024 to 2048 and that resolves the issue. |
|
Created pull request |
|
please note that increasing the RSA cert bits will impact the network traffic (DTLS) when you say that it resolves the issue, does that include testing call setup and DTLS handshake I dont think we should change the default RSA keysize, I think it is better to add a new function int tls_set_selfsigned_bits(struct tls *tls, const char *cn, size_t bits);in the future we might want to increase it again, e.g. to 4096. |
|
In the future we want to move to elliptic curve certs which are smaller in size and lower in cpu usage. |
|
See https://thenewdialtone.com/webrtc-h-264-dtls/ - Chrome moved from 1024 bit RSA to ECDSA "The previous algorithm (1024-bit RSA) takes about 1 second to process. Call setup time is an issue in VoIP in general due to ICE process and this is just another delay added. The new algorithm used (ECDSA) is fast, how fast? By the thousands faster" So the answer is not 2048 bit RSA :-) |
|
I agree that we should also support ECDSA. but we should also keep support for RSA, with a configurable bitsize. |
|
fixed in commit a9ceb87 please verify |
(Presumably the changelog [Unreleased] section is for 1.0.0) = Baresip Changelog == [Unreleased] === Added - aac: add AAC_STREAMTYPE_AUDIO enum value - aac: add AAC_ prefix - Video mode param to call_answer(), ua_answer() and ua_hold_answer [#966] - video_stop_display() API function [#977] - module: add path to module_load() function - conf: add conf_configure_buf - test: add usage of g711.so module [#978] - JSON initial codec state command and response [#973] - account_set_video_codecs() API function [#981] - net: add fallback dns nameserver [#996] - gtk: show call_peername in notify title [#1006] - call: Added call_state() API function that returns enum state of the call [#1013] - account_set_stun_user() and account_set_stun_pass() API functions [#1015] - API functions account_stun_uri and account_set_stun_uri. [#1018] - ausine: Audio sine wave input module [#1021] - gtk/menu: replace spaces from uri [#1007] - jack: allowing jack client name to be specified in the config file [#1025] [#1020] - snapshot: Add snapshot_send and snapshot_recv commands [#1029] - webrtc_aec: 'extended_filter' config option [#1030] - avfilter: FFmpeg filter graphs integration [#1038] - reg: view proxy expiry value in reg_status [#1068] - account: add parameter rwait for re-register interval [#1069] - call, stream, menu: add cmd to set the direction of video stream [#1073] === Changed - **Using [baresip/re](https://github.com/baresip/re) fork now** - audio: move calculation to audio_jb_current_value - avformat: clean up docs - gzrtp: update docs - account: increased size of audio codec list to 16 - video: make video_sdp_attr_decode public - config: Derive default audio driver from default audio device [#1009] - jack: modifying info message on jack client creation [#1019] - call: when video stream is disabled, stop also video display [#1023] - dtls_srtp: use tls_set_selfsigned_rsa with keysize 2048 [#1062] [#1056] - rst: use a min ptime of 20ms - aac: change ptime to 4ms === Fixed - avcodec: fix H.264 interop with Firefox - winwave: waveInGetPosition is no longer supported for use as of Windows Vista [#960] - avcodec: call av_hwdevice_ctx_create before if-statement - account: use single quote instead of backtick - ice: fix segfault in connh [#980] - call: Update call->got_offer when re-INVITE or answer to re-INVITE is received [#986] - mk: Test also for /usr/lib64/libspeexdsp.so to cover Fedora/RHEL/CentOS [#992] - config: Allow distribution specific CA trust bundle locations (fixes [#993] - config: Allow distribution specific default audio device (fixes [#994] - mqtt: fix err is never read (found by clang static analyzer) - avcodec: fix err is never read (found by clang static analyzer) - gtk: notification buttons do not work on Systems [#1012] - gtk: fix dtmf_tone and add tones as feedback [#1010] - pulse: drain pulse buffers before freeing [#1016] - jack: jack_play connect all physical ports [#1028] - Makefile: do not try to install modules if build is static [#1031] - gzrtp: media_alloc function is missing [#1034] [#1022] - call: when updating video, check if video stream has been disabled [#1037] - amr: fix length check, fixes [#1011] - modules: fix search path for avdevice.h [#1043] - gtk: declare variables C89 style - config: init newly added member - menu: fix segfault in ua_event_handler [#1059] [#1061] - debug_cmd: fix OpenSSL no-deprecated [#1065] - aac: handle missing bitrate parameter in SDP format - av1: properly configure encoder === Removed - ice: remove support for ICE-lite - ice: remove ice_debug, use log level DEBUG instead - ice: make stun server optional - config: remove ice_debug option (unused) === Contributors (many thanks) - Alfred E. Heggestad - Alexander Gramner - Andrew Webster - Christian Spielberger - Christoph Huber - Davide Alberani - Ethan Funk - Juha Heinanen - mbattista - Michael Malone - Mikl Kurkov - ndilieto - Robert Scheck - Roger Sandholm - Sebastian Reimers [#966]: baresip/baresip#966 [#977]: baresip/baresip#977 [#978]: baresip/baresip#978 [#973]: baresip/baresip#973 [#981]: baresip/baresip#981 [#996]: baresip/baresip#996 [#1006]: baresip/baresip#1006 [#1013]: baresip/baresip#1013 [#1015]: baresip/baresip#1015 [#1018]: baresip/baresip#1018 [#1021]: baresip/baresip#1021 [#1007]: baresip/baresip#1007 [#1025]: baresip/baresip#1025 [#1020]: baresip/baresip#1020 [#1029]: baresip/baresip#1029 [#1030]: baresip/baresip#1030 [#1038]: baresip/baresip#1038 [#1009]: baresip/baresip#1009 [#1019]: baresip/baresip#1019 [#1023]: baresip/baresip#1023 [#1062]: baresip/baresip#1062 [#1056]: baresip/baresip#1056 [#960]: baresip/baresip#960 [#980]: baresip/baresip#980 [#986]: baresip/baresip#986 [#992]: baresip/baresip#992 [#993]: baresip/baresip#993 [#994]: baresip/baresip#994 [#1012]: baresip/baresip#1012 [#1010]: baresip/baresip#1010 [#1016]: baresip/baresip#1016 [#1028]: baresip/baresip#1028 [#1031]: baresip/baresip#1031 [#1034]: baresip/baresip#1034 [#1022]: baresip/baresip#1022 [#1037]: baresip/baresip#1037 [#1011]: baresip/baresip#1011 [#1043]: baresip/baresip#1043 [#1059]: baresip/baresip#1059 [#1061]: baresip/baresip#1061 [#1065]: baresip/baresip#1065 [#1068]: baresip/baresip#1068 [#1069]: baresip/baresip#1069 [#1073]: baresip/baresip#1073 [Unreleased]: baresip/baresip@v0.6.6...HEAD
Starting baresip without a certificate with the dtls_srtp module enabled, generate an error
webstean@LSCPH-JLTNTC2:~/.baresip$ baresip
baresip v1.0.0 Copyright (C) 2010 - 2020 Alfred E. Heggestad et al.
Local network address: IPv4=eth0|172.26.140.145
aucodec: PCMU/8000/1
aucodec: PCMA/8000/1
aufilt: vumeter
auplay: pulse
ausrc: pulse
medianat: stun
medianat: turn
medianat: ice
mediaenc: srtp
mediaenc: srtp-mand
mediaenc: srtp-mandf
dtls_srtp: failed to self-sign certificate (Cannot allocate memory)
module dtls_srtp.so: Cannot allocate memory
Populated 1 account
Populated 8 contacts
Populated 2 audio codecs
Populated 1 audio filter
Populated 0 video codecs
Populated 0 video filters
baresip is ready.
The text was updated successfully, but these errors were encountered: