Added permanent fix =]

dtls_hack_enable_sha256.patch

Index: .version
===================================================================
--- .version	(revision 414969)
+++ .version	(working copy)
@@ -1 +1 @@
-11.10.0
+11.10.0-x2
Index: include/asterisk/rtp_engine.h
===================================================================
--- include/asterisk/rtp_engine.h	(revision 414969)
+++ include/asterisk/rtp_engine.h	(working copy)
@@ -375,7 +375,7 @@
 
 /*! \brief DTLS fingerprint hashes */
 enum ast_rtp_dtls_hash {
-	AST_RTP_DTLS_HASH_SHA1, /*!< SHA-1 fingerprint hash */
+	AST_RTP_DTLS_HASH_SHA256,    /*!< SHA-256 fingerprint hash */
 };
 
 /*! \brief DTLS configuration structure */
Index: res/res_rtp_asterisk.c
===================================================================
--- res/res_rtp_asterisk.c	(revision 414969)
+++ res/res_rtp_asterisk.c	(working copy)
@@ -787,12 +787,42 @@
 {
 	struct ast_rtp *rtp = SSL_get_ex_data(ssl, 0);
 
+  const char *str;
+  int w;
+  w=where& ~SSL_ST_MASK;
+  if (w & SSL_ST_CONNECT) str="SSL_connect";
+  else if (w & SSL_ST_ACCEPT) str="SSL_accept";
+  else str="undefined";
+  if (where & SSL_CB_LOOP)
+  {
+    ast_log(LOG_ERROR,"%s:%s\n",str,SSL_state_string_long(ssl));
+  }
+  else if (where & SSL_CB_ALERT)
+  {
+    str=(where & SSL_CB_READ)?"read":"write";
+    ast_log(LOG_ERROR,"SSL3 alert %s:%s:%s\n",
+        str,
+        SSL_alert_type_string_long(ret),
+        SSL_alert_desc_string_long(ret));
+  }
+  else if (where & SSL_CB_EXIT)
+  {
+    if (ret == 0)
+      ast_log(LOG_ERROR,"%s:failed in %s\n",
+          str,SSL_state_string_long(ssl));
+    else if (ret < 0)
+    {
+      ast_log(LOG_ERROR,"%s:error in %s\n",
+          str,SSL_state_string_long(ssl));
+    }
+  }
+
 	/* We only care about alerts */
 	if (!(where & SSL_CB_ALERT)) {
 		return;
 	}
 
-	rtp->dtls_failure = 1;
+	//rtp->dtls_failure = 1;
 }
 
 static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, const struct ast_rtp_dtls_cfg *dtls_cfg)
@@ -851,7 +881,7 @@
 
 		if (!BIO_read_filename(certbio, dtls_cfg->certfile) ||
 		    !(cert = PEM_read_bio_X509(certbio, NULL, 0, NULL)) ||
-		    !X509_digest(cert, EVP_sha1(), fingerprint, &size) ||
+		    !X509_digest(cert, EVP_sha256(), fingerprint, &size) ||
 		    !size) {
 			ast_log(LOG_ERROR, "Could not produce fingerprint from certificate '%s' for RTP instance '%p'\n",
 				dtls_cfg->certfile, instance);
@@ -1046,7 +1076,7 @@
 	int pos = 0;
 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
 
-	if (hash != AST_RTP_DTLS_HASH_SHA1) {
+	if (hash != AST_RTP_DTLS_HASH_SHA256) {
 		return;
 	}
 
@@ -1059,7 +1089,7 @@
 {
 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
 
-	if (hash != AST_RTP_DTLS_HASH_SHA1) {
+	if (hash != AST_RTP_DTLS_HASH_SHA256) {
 		return NULL;
 	}
 
@@ -1432,7 +1462,7 @@
 			unsigned char fingerprint[EVP_MAX_MD_SIZE];
 			unsigned int size;
 
-			if (!X509_digest(certificate, EVP_sha1(), fingerprint, &size) ||
+			if (!X509_digest(certificate, EVP_sha256(), fingerprint, &size) ||
 			    !size ||
 			    memcmp(fingerprint, rtp->remote_fingerprint, size)) {
 				X509_free(certificate);
@@ -1446,7 +1476,7 @@
 	}
 
 	/* Ensure that certificate verification was successful */
-	if (SSL_get_verify_result(rtp->ssl) != X509_V_OK) {
+	if (SSL_get_verify_result(rtp->ssl) != X509_V_OK && SSL_get_verify_result(rtp->ssl) != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
 		ast_log(LOG_WARNING, "Peer certificate on RTP instance '%p' failed verification test\n",
 			instance);
 		return -1;
Index: channels/chan_sip.c
===================================================================
--- channels/chan_sip.c	(revision 414969)
+++ channels/chan_sip.c	(working copy)
@@ -10494,13 +10494,24 @@
 				  (processed == TRUE)? "OK." : "UNSUPPORTED OR FAILED.");
 		}
 
-		/* Ensure crypto lines are provided where necessary */
-		if (audio && secure_audio && !processed_crypto) {
-			ast_log(LOG_WARNING, "Rejecting secure audio stream without encryption details: %s\n", m);
-			return -1;
-		} else if (video && secure_video && !processed_crypto) {
-			ast_log(LOG_WARNING, "Rejecting secure video stream without encryption details: %s\n", m);
-			return -1;
+		{
+			/* Ensure crypto lines are provided where necessary */
+			struct ast_rtp_engine_dtls *dtls;
+			if (audio &&
+					secure_audio && !(
+						processed_crypto || (
+							(dtls = ast_rtp_instance_get_dtls(p->rtp)) &&
+							dtls->active(p->rtp)))) {
+				ast_log(LOG_WARNING, "Rejecting secure audio stream without encryption details: %s\n", m);
+				return -1;
+			} else if (video &&
+					secure_video && !(
+						processed_crypto || (
+							(dtls = ast_rtp_instance_get_dtls(p->vrtp)) &&
+							dtls->active(p->vrtp)))) {
+				ast_log(LOG_WARNING, "Rejecting secure video stream without encryption details: %s\n", m);
+				return -1;
+			}
 		}
 	}
 
@@ -11037,11 +11048,11 @@
 			ast_log(LOG_WARNING, "Unsupported connection attribute value '%s' received on dialog '%s'\n",
 				value, p->callid);
 		}
-	} else if (sscanf(a, "fingerprint: %5s %255s", hash, value) == 2) {
+	} else if (sscanf(a, "fingerprint:%s %255s", hash, value) == 2) {
 		found = TRUE;
 
-		if (!strcasecmp(hash, "sha-1")) {
-			dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1, value);
+		if (!strcasecmp(hash, "sha-256")) {
+			dtls->set_fingerprint(instance, AST_RTP_DTLS_HASH_SHA256, value);
 		} else {
 			ast_log(LOG_WARNING, "Unsupported fingerprint hash type '%s' received on dialog '%s'\n",
 				hash, p->callid);
@@ -12730,8 +12741,8 @@
 		break;
 	}
 
-	if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA1))) {
-		ast_str_append(a_buf, 0, "a=fingerprint:SHA-1 %s\r\n", fingerprint);
+	if ((fingerprint = dtls->get_fingerprint(instance, AST_RTP_DTLS_HASH_SHA256))) {
+		ast_str_append(a_buf, 0, "a=fingerprint:SHA-256 %s\r\n", fingerprint);
 	}
 }