SRTP
hoisinboi:
Has anyone gotten SRTP working? I have an Obi202 hooked up to an Asterisk PBX. TLS works fine. When I enabled the X_SRTP flag under Voice Service -> SP1 Service -> Calling features, I originally got the following error:
Code:
NOTICE[15112] sip/sdp_crypto.c: Crypto life time unsupported
I fixed that by patching my PBX with the 'ignorecryptolifetime' option https://issues.asterisk.org/jira/browse/ASTERISK-17899.
Now when I call, I get another error:
Code:
WARNING[16829] chan_sip.c: We are requesting SRTP for audio, but they responded without it!
I'm connected to GV through Asterisk. I tested the setup on my Bria softphone app and the call is being encrypted correctly.
doubled:
Where you able to get SRTP working?
hoisinboi:
Revisiting this issue now. I installed Asterisk 11 and manually applied the patch (https://issues.asterisk.org/jira/secure/attachment/39869/dw-ignore-crypto-lifetime-trunk-r320171.patch). I got past the lifetime key issue. However, I'm now encountering the following error messages:
[Feb 13 22:08:49] WARNING[25775][C-00000001]: sip/sdp_crypto.c:173 sdp_crypto_activate: Could not set SRTP policies
[Feb 13 22:08:49] WARNING[25775][C-00000001]: chan_sip.c:10487 process_sdp: Rejecting secure audio stream without encryption details: audio 16600 RTP/SAVP 0 8 18 104 101
My Obi202 FW ver is: 3.0.1 (Build: 4269)
My Asterisk ver is: 11.7.0
giqcass:
Just a thought but is there a possibility of disabling SRTP on the Obi and passing the call to an unencrypted asterisk trunk. Then allow asterisk to do all of the encryption on a second trunk before passing it over the internet using SRTP. In this scenario I am assuming both devices are on site so the possibility of packet interception between the Obi and the asterisk box would be low. Forgive me if I'm way off. My asterisk knowledge is minimal.
It seems SRTP with GV is a hit or miss affair. Sounds like it requires constant patches.
hoisinboi:
Quote from: giqcass on February 13, 2014, 09:52:46 pm
Just a thought but is there a possibility of disabling SRTP on the Obi and passing the call to an unencrypted asterisk trunk. Then allow asterisk to do all of the encryption on a second trunk before passing it over the internet using SRTP. In this scenario I am assuming both devices are on site so the possibility of packet interception between the Obi and the asterisk box would be low. Forgive me if I'm way off. My asterisk knowledge is minimal.
It seems SRTP with GV is a hit or miss affair. Sounds like it requires constant patches.
I have since stopped using GV as a trunk due to them stopping support for XMPP. I agree that the risk of interception is low and that it's more important for wireless clients. However, I feel that since the option is there, someone should know how to get the two to connect. Maybe there is documentation somewhere on what is being passed to the SIP provider when it is turned on.
I've done some debugging and have narrowed it down to Asterisk not being able to create a srtp policy. I don't know too much about the internal workings of srtp so I'm pretty much stuck.
res_srtp.c line:440
Code:
static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp, struct ast_srtp_policy *policy)
{
struct ast_srtp *temp;
if (!(temp = res_srtp_new())) {
return -1;
ast_log(LOG_WARNING, "Can't create temp pointer\n");
}
ast_module_ref(ast_module_info->self);
/* Any failures after this point can use ast_srtp_destroy to destroy the instance */
if (srtp_create(&temp->session, &policy->sp) != err_status_ok) { <---- This doesn't return status ok
/* Session either wasn't created or was created and dealloced. */
temp->session = NULL;
ast_srtp_destroy(temp);
ast_log(LOG_WARNING, "Problem creating srtp session\n");
return -1;
}
Navigation
[0] Message Index
[#] Next page