News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

SRTP

Started by hoisinboi, January 14, 2013, 12:15:39 PM

Previous topic - Next topic

hoisinboi

Has anyone gotten SRTP working? I have an Obi202 hooked up to an Asterisk PBX. TLS works fine. When I enabled the X_SRTP flag under Voice Service -> SP1 Service -> Calling features, I originally got the following error:

NOTICE[15112] sip/sdp_crypto.c: Crypto life time unsupported

I fixed that by patching my PBX with the 'ignorecryptolifetime' option https://issues.asterisk.org/jira/browse/ASTERISK-17899.

Now when I call, I get another error:

WARNING[16829] chan_sip.c: We are requesting SRTP for audio, but they responded without it!

I'm connected to GV through Asterisk. I tested the setup on my Bria softphone app and the call is being encrypted correctly.

doubled

Where you able to get SRTP working?

hoisinboi

Revisiting this issue now. I installed Asterisk 11 and manually applied the patch (https://issues.asterisk.org/jira/secure/attachment/39869/dw-ignore-crypto-lifetime-trunk-r320171.patch).  I got past the lifetime key issue. However, I'm now encountering the following error messages:

[Feb 13 22:08:49] WARNING[25775][C-00000001]: sip/sdp_crypto.c:173 sdp_crypto_activate: Could not set SRTP policies
[Feb 13 22:08:49] WARNING[25775][C-00000001]: chan_sip.c:10487 process_sdp: Rejecting secure audio stream without encryption details: audio 16600 RTP/SAVP 0 8 18 104 101

My Obi202 FW ver is: 3.0.1 (Build: 4269)
My Asterisk ver is: 11.7.0


giqcass

#3
Just a thought but is there a possibility of disabling SRTP on the Obi and passing the call to an unencrypted asterisk trunk.  Then allow asterisk to do all of the encryption on a second trunk before passing it over the internet using SRTP.  In this scenario I am assuming both devices are on site so the possibility of packet interception between the Obi and the asterisk box would be low.  Forgive me if I'm way off. My asterisk knowledge is minimal.


It seems SRTP with GV is a hit or miss affair.  Sounds like it requires constant patches.

Long live our new ObiLords!

hoisinboi

Quote from: giqcass on February 13, 2014, 09:52:46 PM
Just a thought but is there a possibility of disabling SRTP on the Obi and passing the call to an unencrypted asterisk trunk.  Then allow asterisk to do all of the encryption on a second trunk before passing it over the internet using SRTP.  In this scenario I am assuming both devices are on site so the possibility of packet interception between the Obi and the asterisk box would be low.  Forgive me if I'm way off. My asterisk knowledge is minimal.


It seems SRTP with GV is a hit or miss affair.  Sounds like it requires constant patches.

I have since stopped using GV as a trunk due to them stopping support for XMPP. I agree that the risk of interception is low and that it's more important for wireless clients. However, I feel that since the option is there, someone should know how to get the two to connect. Maybe there is documentation somewhere on what is being passed to the SIP provider when it is turned on.

I've done some debugging and have narrowed it down to Asterisk not being able to create a srtp policy. I don't know too much about the internal workings of srtp so I'm pretty much stuck.

res_srtp.c line:440

static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp, struct ast_srtp_policy *policy)
{
        struct ast_srtp *temp;

        if (!(temp = res_srtp_new())) {
                return -1;
                ast_log(LOG_WARNING, "Can't create temp pointer\n");
        }
        ast_module_ref(ast_module_info->self);

        /* Any failures after this point can use ast_srtp_destroy to destroy the instance */
        if (srtp_create(&temp->session, &policy->sp) != err_status_ok) {             <---- This doesn't return status ok
                /* Session either wasn't created or was created and dealloced. */
                temp->session = NULL;
                ast_srtp_destroy(temp);
                ast_log(LOG_WARNING, "Problem creating srtp session\n");         
                return -1;
        }

hoisinboi

Ok, I got it working. Turns out that I had to compile from libsrtp (http://srtp.sourceforge.net/download.html) instead of relying on the ubuntu repo (libsrtp0-dev). I didn't have to use the fPIC CFLAG option.

I've attached the patch for ignorecryptolifetime that I modified for Asterisk 11.7.0.

You have to have TLS set up and working in the first place. No need to import cert into the Obi, since there is no way to.


  == Using SIP RTP CoS mark 5
[Feb 14 13:58:45] DEBUG[16102][C-00000000]: sip/sdp_crypto.c:285 sdp_crypto_process: Accepting crypto tag 1
[Feb 14 13:58:45] DEBUG[16102][C-00000000]: sip/sdp_crypto.c:310 sdp_crypto_offer: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:3Ezr72xlH3KGxeH0IYFdZ59hc+OxE6M2IxFKH9ry
    -- Executing [1703xxxxxxx@dialplan:1] Set("SIP/1000-00000000", "DIALEDNUMBER=1703xxxxxxx") in new stack
[Feb 14 13:58:45] NOTICE[16107][C-00000000]: ast_expr2.y:763 compose_func_args: argbuf allocated 148 bytes;
[Feb 14 13:58:45] NOTICE[16107][C-00000000]: ast_expr2.y:782 compose_func_args: argbuf uses 147 bytes;
    -- Executing [1703xxxxxxx@dialplan:2] GotoIf("SIP/1000-00000000", "0?d-Canada,1:d-USA,1") in new stack
    -- Goto (dialplan,d-USA,1)
    -- Executing [d-USA@dialplan:1] Macro("SIP/1000-00000000", "FallbackDial,1703xxxxxxx,USA") in new stack
    -- Executing [s@macro-FallbackDial:1] Set("SIP/1000-00000000", "ARRAY(line1,line2,line3)=localphone,didlogic,anveo") in new stack
    -- Executing [s@macro-FallbackDial:2] Dial("SIP/1000-00000000", "SIP/localphone/1703xxxxxxx") in new stack
  == Using SIP RTP CoS mark 5
    -- Called SIP/localphone/1703xxxxxxx
       > 0xb6d0fad0 -- Probation passed - setting RTP source address to 69.87.158.8:52420
    -- SIP/localphone-00000001 is making progress passing it to SIP/1000-00000000
[Feb 14 13:58:47] DEBUG[16107][C-00000000]: sip/sdp_crypto.c:310 sdp_crypto_offer: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:3Ezr72xlH3KGxeH0IYFdZ59hc+OxE6M2IxFKH9ry
       > 0xb6d0fad0 -- Probation passed - setting RTP source address to 69.87.158.8:52420
       > 0xb6b247b0 -- Probation passed - setting RTP source address to 192.168.88.29:16614
    -- SIP/localphone-00000001 is ringing
    -- SIP/localphone-00000001 is making progress passing it to SIP/1000-00000000
    -- SIP/localphone-00000001 answered SIP/1000-00000000
[Feb 14 13:58:54] DEBUG[16107][C-00000000]: sip/sdp_crypto.c:310 sdp_crypto_offer: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:3Ezr72xlH3KGxeH0IYFdZ59hc+OxE6M2IxFKH9ry
  == Spawn extension (macro-FallbackDial, s, 2) exited non-zero on 'SIP/1000-00000000' in macro 'FallbackDial'
  == Spawn extension (dialplan, d-USA, 1) exited non-zero on 'SIP/1000-00000000'

giqcass

Congratulations!  In light or recent privacy concerns I'm sure other will find this useful.
Long live our new ObiLords!

hoisinboi

I got ahead of myself. It looks like it only works on outbound. On inbound, it fails. I tested this with my Bria softphone and it works both ways, so it has to be something in the Obihai side. Perhaps it's looking for a cryptolifetime and Asterisk isn't sending one because it doesn't support it? Who knows. Will a developer please chime in?

rsriram22

any updates on this.. i still do not know how to attach a certificate to obi if i want it to connect to my tls+SRTP enabled asterisk server like here https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial#SecureCallingTutorial-Part2%28SRTP%29
have two 100s and one 110

Goldenmeadow

Hi!

I'm in the same boat. Need to establish connection to the server using TLS with certificate on OBi200. Any help?????

SteveInWA

There is no way to import a TLS certificate into an OBi device.  If you really need this feature, then you'll need to use a different product.

The Grandstream HT-701 is an inexpensive SIP ATA that can import and use a certificate and private key.

Goldenmeadow

Quote from: SteveInWA on May 21, 2015, 03:25:39 PM
There is no way to import a TLS certificate into an OBi device.  If you really need this feature, then you'll need to use a different product.

The Grandstream HT-701 is an inexpensive SIP ATA that can import and use a certificate and private key.

Thanks Steve!

Your answers are always the best!!!
I actually managed to connect using TLS with SRTP. First I needed to update the firmware in my 200. Then I set everything except adding certificate itself into OBi and... it works!

fivn

Have anyone success connect ob200 SRTP to Asterisk 13.25.0 using chan_sip?

I got this error:

[Mar 22 18:10:41] WARNING[28691][C-00000008]: chan_sip.c:33974 process_crypto: Ignoring crypto attribute in SDP because RTP transport is insecure
[Mar 22 18:10:41] WARNING[28691][C-00000008]: chan_sip.c:10844 process_sdp: Failed to receive SDP offer/answer with required SRTP crypto attributes for audio


Grandstream phones are working fine.