Freepbx Failed to create fingerprint from the digest

Hello,

We have been running sipjs uac and with FreePBX
after a system update, calls hang up right after agents answer the calls.
(Same behaviour using sipML5 demo)
connection via Wss 8089 is OK.

When call hangs up , the browser console log shows :

Failed to execute ‘setRemoteDescription’ on ‘RTCPeerConnection’: Failed to parse SessionDescription. a=fingerprint:SHA-256 Failed to create fingerprint from the digest.

SDP :

v=0
o=- 784533261 784533261 IN IP4 159.89.107.72
s=Asterisk
c=IN IP4 159.89.107.72
t=0 0
a=group:BUNDLE audio-0
m=audio 12794 UDP/TLS/RTP/SAVPF 0 8 18 3 111 9 101
a=connection:new
a=setup:active
a=fingerprint:SHA-256
a=ice-ufrag:2bba981425608f2717e872d6558b415f
a=ice-pwd:4b8718d40a96096771835c3655832527
a=candidate:H9f596b48 1 UDP 2130706431 159.89.107.72 12794 typ host
a=candidate:Ha130032 1 UDP 2130706431 10.19.0.50 12794 typ host
a=candidate:Ha87a9a0 1 UDP 2130706431 10.135.169.160 12794 typ host
a=candidate:H9b8a3ca 1 UDP 2130706431 fe80::f02b:57ff:fee8:5d58 12794 typ host
a=candidate:Hcad01eb5 1 UDP 2130706431 fe80::f4ae:33ff:fe22:e71c 12794 typ host
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:3 GSM/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
a=rtcp-mux
a=ssrc:1108701450 cname:dc1889f5-4ab3-4011-ad53-87b403d0e220
a=mid:audio-0

The certificate is generated via the freepbx module

Endpoints config :
Enable AVPF – Yes
Enable ICE Support – Yes
Media Encryption – DTLS-SRTP
Direct Media – No
Enable DTLS – Yes
Auto Generate Certificate – No
Use Certificate – MyCertificate
DTLS Verify – Fingerprint
DTLS Setup – Act/Pass
rtcp Mux is enabled

ALL endpoints are pjsip , pjsip is the only driver.

After a fresh reinstall i am having the same problem. (Centos 7 , FreePBX 16.0.21.9, on a DigitalOcean Droplet).

Freepbx does not export dtls parameters to the endpoint (pjsip.endpoint).
as previously described, Media Encryption is set to DTLS-SRTP, DTLS is also enabled.
still these variables are not exported.
40 => “dtls_verify=fingerprint”
41 => “dtls_setup=actpass”
42 => “dtls_rekey=0”
43 => “dtls_cert_file=/etc/asterisk/keys/XXXX.crt”
44 => “dtls_private_key=/etc/asterisk/keys/XXXX.key”
45 => “language=fr”

I debugged some of admin scripts , Certman.class.php is getting the data correctly , setting the PJSIP class _endpoint array attribute throught dialplanHooks, but later it gets cleared right before Languages class is editing the attribute(_endpoint).
The variable ends up containing only only language parameter , which explain why PJSIP Hook genConfig doesnt export the dtls variables.

Hi @welmajdi
I had before similer issue for WSS call to SipML5 from FreePBX. I had fix with install Vanilla Asterisk

Shahin N.

I tested creating endpoints on pjsip_custom directly without relying on FreePBX extensions module. And everything works.
This is actually a freePBX bug , i declared it on the issues platform : [FREEPBX-23683] PJsip not exporting endpoint dtls related data - Sangoma Issue Tracker

I ended up making my own issue (FREEPBX-23689) and found this now.

It means I’m not alone in this. I also found tlscipher will not be created in http.conf. My guess is OpenSSL has to be updated.

I have already tried upgrading to openSSL 1.1.1 (How to install openssl 1.1.1 on CentOS 7 · GitHub), it didnt fix the problem.

I checked your issue , i do still run a working version of fpbx, and i noticed that tlscipher does not exist on both servers.(are you talking about /etc/asterisk/http_additional.conf ? )

I ended up developing a webservice to generate endpoints config directly on conf files.
This is actually a major bug.

Sorry, yes I mean http_additional.conf.

My bad server is missing tlscipher from that file as well as the dtls fields in pjsip.extensions.conf. I can fix them manually but when applying changes or force updating a certificate, they’re removed again.

I don’t know where tlscipher gets written. I never wrote it myself on the original server. I’m thinking certman writes that, but I can’t find it in the source code. The only reference I found was in sip_to_pjsip.py but I don’t use ChanSIP at all.

I got this problem too. After research, I found the problem are come from PHP7.4 build Aug 1. They loss dtls config from endpoint certman class when core class generating. I have similar FreePBX with PHP7.4 early build. They are working fine. My solution is hardcode to the PJSIP module for dtls configurations for hot fix.

Can you please vote the issue ? (FREEPBX-23683)
so far its still on triage status…

Looks like it’s being worked on now. (FREEPBX-23683)

The issue is resolved. Looks like prinextension module is causing it.
You can temporarily disable the module until the printextensions v16.0.8 version is pushed