We Keep Coding

No matching mac found: client hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512,hmac-sha2-256 server hmac-sha1

I am getting below error while running my script, I am on AIX
Reading configuration data /ecmsq1vg1/home1/aradmin/.ssh/config
Reading configuration data /etc/ssh_config
Connecting to www.mftcatapp.firstdataclients.com, port 22.
Remote version string: SSH-2.0-Sun_SSH_1.1.8
Remote protocol version 2.0, remote software version Sun_SSH_1.1.8
Net::SSH::Perl Version 2.14, protocol version 2.0.
No compat match: Sun_SSH_1.1.8.
Connection established.
Sent key-exchange init (KEXINIT), waiting for response.
No matching mac found: client hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512,hmac-sha2-256 server hmac-sha1 at /apps/perl/lib/site_perl/5.18.1/aix-thread-multi/Net/SSH/Perl/SSH2.pm line 273
Can anyone help me out why i am facing the above error?

perldoc Net::SSH::Perl:
Integrity checking is performed by the hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm#openssh.com, or hmac-sha2-512-etm#openssh.com algorithms. The deprecated hmac-sha1 or hmac-md5 algorithms are available but not enabled by default. Many older SSH server installations still use hmac-sha1 as the main accepted MAC algorithm. To enable this, use the following options parameter:
options => [ "MACs +hmac-sha1" ]
So either configure your server not to use hmac-sha1 for integrity checking or tell your script to accept hmac-sha1.

Issue on SIPML5 plugin integration on AWS with Asterisks server- 13 using WebRTC

I have faced an issue on integrating the demo of SIPML5 plugin on the Asterisks server. The Asterisks server version is "Asterisk 13.14.0". The new version of the asterisks server supports SRTP module.
The plugin demo files are taken from Doubango's github repository. The demo integration files are placed on the root folder of our AWS server account.
Ref: https://github.com/DoubangoTelecom/sipml5/
The contents of the different configuration files for Asterisks server are as follows:
http.conf
[general]
enabled=yes
bindaddr=0.0.0.0
bindport=8088
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlsprivatekey=/etc/asterisk/keys/asterisk.pem
rtp.conf
[general]
rtpstart=10000
rtpend=20000
icesupport=yes
stunaddr=stun.l.google.com:19302
extensions.conf
[default]
exten => 100,1,Dial(SIP/1060)
exten => 101,1,Dial(SIP/1061)
exten => 102,1,Playback(1-for-am-2-for-pm)
exten => 205,1,Answer
exten => 205,2,Wait(2)
exten => 205,3,Record(asterisk-recording%d:ulaw)
exten => 205,4,Wait(2)
exten => 205,5,Playback(${RECORDED_FILE})
exten => 205,6,Wait(2)
exten => 205,7,Hangup
[from-internal]
exten => 1000,1,Answer()
same => n,Playback(demo-congrats)
same => n,Hangup()
sip.conf
[general]
udpbindaddr=0.0.0.0:5060
realm=x.x.x.x ;replace with your Asterisk server public IP address or host
transport=udp,ws,wss
externaddr=x.x.x.x ;replace with your Server's Public IP Address
websocket_enabled=true
[6001]
host=dynamic
secret=****
context=from-internal
type=friend
encryption=yes
avpf=yes
force_avp=yes
icesupport=yes
directmedia=no
disallow=all
allow=ulaw
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/asterisk.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
The filed values set for the expert.htm page for the demo is as follows:-
WebSocket Server URL : wss://X.X.X.X:8088/ws
SIP outbound Proxy URL: udp://X.X.X.X:5060
ICE servers: [{ url: ‘stun:stun.l.google.com:19302’}]
The filed values set for the call.htm page for the demo is as follows:-
Display name: Rusty WEBRTC
Private identity: 6001
Public identity: sip:6001#X.X.X.X
Password; ****
Realm: X.X.X.X
Where X.X.X.X is my Asterisks server IP.
When click on the "Log in" button on the call.htm page an error message is displayed like
Disconnected: Failed to connect to the server
The linphone plugin is installed on the project right now. Due to the withdrawal of NPAPI support by Chrome/Mozilla browsers, the VoIP feature is completely outdated on the project. Now I want to replace the feature with SipML5 plugin which supports the WebRTC protocol. I need to check the registration, login, audio call features of the SIPML5 plugin. But all these functionalities can be implemented once i got connected to the server.
The Asterisks CLI is not displayed any error message. The console history of Chrome and Mozilla browsers are not displayed any vulnerable error messages. So I'm completely stuck on the project.
The demo files were worked fine on the Asterisks 11.8.1 server. But the SRTP module was not installed on the server so that the audio feature was not worked fine. Our supporting team is installed the library now and reinstalled the asterisks server with version 13. The firewall is open for the AWS server and the ports are open now.
Can anybody help me to fix the issue so that i can go further with the plug in integration to my project.Please let me know if any other details needed

SipML5 client will try to connect the server over Secure WebSocket URL(WSS).
So u need to use port 8089(tls) in WSS url.
If you using Self signed SSL certifactes in http.conf, allow them by opening https://X.X.X.X:8089/ws url in browser tab.

Possible debugging steps:
1. Check if asterisk is actually listening on 8089. You can use netstat for that.
2. If you are loading your client/browser in https mode then you need to trust your client on asterisk. This can be done through: http://X.X.X.X:8089/httpstatus and select trust.

Perl Webservice SSL Negotiation Failure

I am trying to call a web service using ssl. It gives following error:
500 SSL negotiation failed:
I searched forums and applied offered methods but none of them worked.
2 methods I applied are listed below:
1-) setting enviroment before call:
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
2-) passing parameter ssl_opts => [ SSL_verify_mode => 0 ] to proxy:
my $soap = SOAP::Lite
-> on_action( .... )
-> uri($uri)
-> proxy($proxy, ssl_opts => [ SSL_verify_mode => 0 ])
-> ns("http://schemas.xmlsoap.org/soap/envelope/","soapenv")
-> ns("http://tempuri.org/","tem");
$soap->serializer()->encodingStyle(undef);
Is there any solution for this?

... Connection reset by peer at /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Net‌​/SSL.pm line 145
You are running a very old version of Perl (from 2004) together with an old version of the SSL libraries (i.e. Crypt::SSLeay instead of IO::Socket::SSL) and my guess is that this goes together with using a very old version of the OpenSSL libraries for TLS support. This combination means that there is no support for SNI, no support for TLS 1.2 and no support for ECDHE ciphers. Many modern servers need at least one of these things supported. But connection reset by peer could also mean that some firewall is blocking connections or that there is no server listening on the endpoint you've specified. Or it could mean that the server is expecting you to authorize with a client certificate. Hard to tell but with a packet capture of the connection one might provide more information. And, if the URL is publicly accessible publishing it would help too in debugging the problem.

Boost chose between SSL ans TLS

I use boost socket with SSL by using the following source code:
ssl::context ctx(ssl::context::sslv23);
ctx.set_verify_mode(ssl::verify_peer);
ctx.load_verify_file("ca.pem");
I would like to know if ssl::context::sslv23 also activates TLS ?
If I want to force TLS connection (no SSL connection), Does it work:
ctx.set_options( boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv3 );
Same question with SSL connection only:
ctx.set_options( boost::asio::ssl::context::no_tlsv1 );
Thanks

I believe you need to refer OpenSSL documentation, since asio::ssl::context is a thin wrapper for SSL_CTX. Thus ssl::context constructor calls SSL_CTX_new() function with an appropriate method. As well as the ssl::context::set_options() function calls SSL_CTX_set_options() function.
In particular, for ssl::context::sslv23 method it would be:
SSLv23_method(void), SSLv23_server_method(void),
SSLv23_client_method(void) A TLS/SSL connection established with these
methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2
protocols.
If the cipher list does not contain any SSLv2 ciphersuites (the
default cipher list does not) or extensions are required (for example
server name) a client will send out TLSv1 client hello messages
including extensions and will indicate that it also understands
TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will
support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best
choice when compatibility is a concern.
If any SSLv2 ciphersuites are included in the cipher list and no
extensions are required then SSLv2 compatible client hellos will be
used by clients and SSLv2 will be accepted by servers. This is not
recommended due to the insecurity of SSLv2 and the limited nature of
the SSLv2 client hello prohibiting the use of extensions.
The list of protocols available can later be limited using the
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1
and SSL_OP_NO_TLSv1_2 options of the SSL_CTX_set_options() or
SSL_set_options() functions. Using these options it is possible to
choose e.g. SSLv23_server_method() and be able to negotiate with all
possible clients, but to only allow newer protocols like TLSv1,
TLSv1.1 or TLS v1.2.
Applications which never want to support SSLv2 (even is the cipher
string is configured to use SSLv2 ciphersuites) can set
SSL_OP_NO_SSLv2.

Asterisk Webrtc DTLS-SRTP policy

I work with Asterisk 12 and Webrtc ( is use sip.js) . When Call is answered by Chrome browser (caller is zoiper) , the call imediatelly hangup and shows error
[Aug 4 10:45:16] WARNING[30235][C-0000001f]: res_rtp_asterisk.c:1667 dtls_srtp_setup: Could not set policies when setting up DTLS-SRTP on '0x7ff22802dff0'
[Aug 4 10:45:16] WARNING[30235][C-0000001f]: res_rtp_asterisk.c:3906 ast_rtp_read: RTP Read error: Unspecified. Hanging up.
my pears is here
[1060] ; This will be WebRTC client
type=friend
username=1060 ; The Auth user for SIP.js
host=dynamic ; Allows any host to register
secret=1060 ; The SIP Password for SIP.js
encryption=yes ; Tell Asterisk to use encryption for this peer
avpf=yes ; Tell Asterisk to use AVPF for this peer
icesupport=yes ; Tell Asterisk to use ICE for this peer
context=default ; Tell Asterisk which context to use when this peer is dialing
directmedia=no ; Asterisk will relay media for this peer
transport=udp,ws ; Asterisk will allow this peer to register on UDP or WebSockets
force_avp=yes ; Force Asterisk to use avp. Introduced in Asterisk 11.11
dtlsenable=yes ; Tell Asterisk to enable DTLS for this peer
dtlsverify=no ; Tell Asterisk to not verify your DTLS certs
dtlscertfile=/etc/asterisk/keys/asterisk.pem ; Tell Asterisk where your DTLS cert file is
dtlsprivatekey=/etc/asterisk/keys/asterisk.pem ; Tell Asterisk where your DTLS private key is
dtlssetup=actpass ; Tell Asterisk to use actpass SDP parameter when setting up DTLS
[6003] ; This will be the legacy SIP client
type=friend
username=6003
host=dynamic
secret=6003
Can anybody help me?

I used srtp 1.4.2 and this is how I created the certificates for DTLS:
mkdir /etc/asterisk/keys
Enter the Asterisk scripts directory:
cd /usr/local/src/asterisk*/contrib/scripts.
Create the DTLS certificates (replace pbx.mycomany.com with your ip address or dns name, replace My Super Company with your company name):
./ast_tls_cert -C pbx.mycompany.com -O "My Super Company" -d /etc/asterisk/keys