Asterisk TLS/SRTP problem

Asterisk Asterisk Support
1

hi all.

I installed asterisk from trunk “SVN-trunk-r355531”.

I still have srtp problem. it generates error when i want to make a call.

i have generated certificates with ast_tls_cert (i have already tried it 50 times).

when i try to connect from eyebeam softphone, it looks to register well ,but if i try to call sonewhere asteris generates following message:

[Feb 16 22:49:09] WARNING[3779]: sip/sdp_crypto.c:226 sdp_crypto_process: Unsupported crypto parameters: [Feb 16 22:49:09] WARNING[3779]: chan_sip.c:9398 process_sdp: Can't provide secure audio requested in SDP offer

also i tested it from phonelite , it registers well, but when i try to call somewhere asteris generates :

[Feb 16 23:54:52] WARNING[4950]: chan_sip.c:9404 process_sdp: We are requesting SRTP, but they responded without it! .

my sip.conf is :

[general]
context=unauthenticated
allowguest=no
srvlookup=yes
tcpenable=no
tlsenable=yes
tlsbindaddr=0.0.0.0
transport=tls
tlscertfile=/var/lib/asterisk/keys/asterisk.pem
tlscafile=/var/lib/asterisk/keys/ca.crt
tlsclientmethod=tlsv1
tlscipher=ALL


[100]
type=friend
context=mycontext
host=dynamic
nat=no
secret=1234
dtmfmode=rfc2833
disallow=all
allow=ulaw
transport=tls
encryption=yes

extensions.conf

[mycontext]
exten => 1234,1,Set(CHANNEL(secure_bridge_signaling)=1)
    same => n,Set(CHANNEL(secure_bridge_media)=1)
    same => n,Saydigits(123)
    same => n,Hangup()

i have searched it in google , but nothing was helpful .

any solution ?

2

What is the actual SDP?

The second error, at face value, means the phone doesn’t support SRTP.

3

SDP is :

<--- SIP read from TLS:20.20.20.2:4681 --->
INVITE sip:123@20.20.20.1 SIP/2.0
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-2f453f3257274144-1--d87543-;rport
Max-Forwards: 70
Contact: <sip:100@20.20.20.2:4681;transport=TLS>
To: "123"<sip:123@20.20.20.1>
From: "100"<sip:100@20.20.20.1>;tag=281b5142
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 491

v=0
o=- 6 2 IN IP4 20.20.20.2
s=CounterPath eyeBeam 1.5
c=IN IP4 20.20.20.2
t=0 0
m=audio 40016 RTP/SAVP 100 0 101
a=alt:1 1 : xANoISr/ WQXgyQoQ 20.20.20.2 40016
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:XfllqvnoUUYHjyBsqVYFvUIuCb/onSYnHB1apTsR 
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:u0QcjZGQm4/GopHnetZyxGiHnFlNrrJ72XbpzD9H 
a=fmtp:101 0-15
a=rtpmap:100 SPEEX/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv
a=x-rtp-session-id:8D3BE357474D4EB8A92216984541C11D
<------------->
--- (12 headers 14 lines) ---
Sending to 20.20.20.2:4681 (NAT)
Using INVITE request as basis request - f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
Found peer '100' for '100' from 20.20.20.2:4681

<--- Reliably Transmitting (no NAT) to 20.20.20.2:4681 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-2f453f3257274144-1--d87543-;received=20.20.20.2;rport=4681
From: "100"<sip:100@20.20.20.1>;tag=281b5142
To: "123"<sip:123@20.20.20.1>;tag=as79ef90e7
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 1 INVITE
Server: Asterisk PBX SVN-trunk-r355531
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="64c0ac5f"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.' in 32000 ms (Method: INVITE)

<--- SIP read from TLS:20.20.20.2:4681 --->
ACK sip:123@20.20.20.1 SIP/2.0
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-2f453f3257274144-1--d87543-;rport
To: "123"<sip:123@20.20.20.1>;tag=as79ef90e7
From: "100"<sip:100@20.20.20.1>;tag=281b5142
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 1 ACK
Content-Length: 0

<------------->
--- (7 headers 0 lines) ---

<--- SIP read from TLS:20.20.20.2:4681 --->
INVITE sip:123@20.20.20.1 SIP/2.0
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-ac6117110341bf24-1--d87543-;rport
Max-Forwards: 70
Contact: <sip:100@20.20.20.2:4681;transport=TLS>
To: "123"<sip:123@20.20.20.1>
From: "100"<sip:100@20.20.20.1>;tag=281b5142
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: eyeBeam release 1003s stamp 31159
Authorization: Digest username="100",realm="asterisk",nonce="64c0ac5f",uri="sip:123@20.20.20.1",response="ed9319c6df82bf4a893f0afca6ba6eae",algorithm=MD5
Content-Length: 491

v=0
o=- 6 2 IN IP4 20.20.20.2
s=CounterPath eyeBeam 1.5
c=IN IP4 20.20.20.2
t=0 0
m=audio 40016 RTP/SAVP 100 0 101
a=alt:1 1 : xANoISr/ WQXgyQoQ 20.20.20.2 40016
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:XfllqvnoUUYHjyBsqVYFvUIuCb/onSYnHB1apTsR 
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:u0QcjZGQm4/GopHnetZyxGiHnFlNrrJ72XbpzD9H 
a=fmtp:101 0-15
a=rtpmap:100 SPEEX/16000
a=rtpmap:101 telephone-event/8000
a=sendrecv
a=x-rtp-session-id:8D3BE357474D4EB8A92216984541C11D
<------------->
--- (13 headers 14 lines) ---
Sending to 20.20.20.2:4681 (no NAT)
Using INVITE request as basis request - f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
Found peer '100' for '100' from 20.20.20.2:4681
  == Using SIP RTP CoS mark 5
Found RTP audio format 100
Found RTP audio format 0
Found RTP audio format 101
[Feb 17 10:21:39] WARNING[16881]: sip/sdp_crypto.c:226 sdp_crypto_process: Unsupported crypto parameters: �Found audio description format SPEEX for ID 100
Found audio description format telephone-event for ID 101
[Feb 17 10:21:39] WARNING[16881]: chan_sip.c:9398 process_sdp: Can't provide secure audio requested in SDP offer

<--- Reliably Transmitting (no NAT) to 20.20.20.2:4681 --->
SIP/2.0 488 Not acceptable here
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-ac6117110341bf24-1--d87543-;received=20.20.20.2;rport=4681
From: "100"<sip:100@20.20.20.1>;tag=281b5142
To: "123"<sip:123@20.20.20.1>;tag=as79ef90e7
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 2 INVITE
Server: Asterisk PBX SVN-trunk-r355531
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.' in 32000 ms (Method: INVITE)

<--- SIP read from TLS:20.20.20.2:4681 --->
ACK sip:123@20.20.20.1 SIP/2.0
Via: SIP/2.0/TLS 20.20.20.2:26953;branch=z9hG4bK-d87543-ac6117110341bf24-1--d87543-;rport
To: "123"<sip:123@20.20.20.1>;tag=as79ef90e7
From: "100"<sip:100@20.20.20.1>;tag=281b5142
Call-ID: f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.
CSeq: 2 ACK
Content-Length: 0

<------------->
--- (7 headers 0 lines) ---

<--- SIP read from TLS:20.20.20.2:4681 --->


<------------->
Really destroying SIP dialog 'c95e8a66b622a53eNTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.' Method: REGISTER
Really destroying SIP dialog 'd01b3f34f26ac16bNTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.' Method: REGISTER
Really destroying SIP dialog 'f4622d36a069ce57NTdhYTEyNzU0YTVjMTVjYzJmNTg2N2Y1NDk2MjcxYTE.' Method: INVITE
4

todey, i tested it on Blink softphone and it works well.

i want to use eyebeam . but this warning still occurs :

WARNING[25077]: sip/sdp_crypto.c:226 sdp_crypto_process: Unsupported crypto parameters:
WARNING[25077]: chan_sip.c:9398 process_sdp: Can't provide secure audio requested in SDP offer

and i can not make a call. my eyebeam client is version 1.5.7

no one had tihs problem ?
any solution ?

5

As I have not used encryption with Asterisk, and, in particular, don’t know which ciphers and hash functions are supported, and whether any are optional, someone else will need to comment on why the encryption options are not acceptable. I was mainly trying to extract enough information to allow them to do that.

6

first thanks david55 for your reply and help.

after hard work :smile: eyebeam 1.5 works fine with TLS/SRTP signaling and media encryption … both outgoing and incoming calls

7

[quote=“irakla7777777”]first thanks david55 for your reply and help.

after hard work :smile: eyebeam 1.5 works fine with TLS/SRTP signaling and media encryption … both outgoing and incoming calls[/quote]

What version of Asterisk and OpenSSL are you using please?

8

my version of asterisk is is current SVN trunk . but i believe SSL/SRTP works well in 10.1.2 , 10.2.0-rc2 , and 1.8.X (there is a patches for SRTP fix.)

SSL version is 0.9.8 . but i have installed it with debian package…

9

[quote=“irakla7777777”]first thanks david55 for your reply and help.

after hard work :smile: eyebeam 1.5 works fine with TLS/SRTP signaling and media encryption … both outgoing and incoming calls[/quote]

What was your fix? I have TLS/SRTP enabled and using Blink. TLS is working fine but SRTP crashes Asterisk now and than with Blink. Using Asterisk 1.10 latest stable release as of yesterday on a Centos 6.2 box. Going to give Bria/Eyebeam a try later this week so any pointers would be greatly appreciated.

10

If Asterisk really is crashing, you should report it as detailed in wiki.asterisk.org/wiki/display/ … +Backtrace

11

[quote=“irakla7777777”]first thanks david55 for your reply and help.

after hard work :smile: eyebeam 1.5 works fine with TLS/SRTP signaling and media encryption … both outgoing and incoming calls[/quote]

How did you fix it ?? I am having the same issue with eyeBeam 1.5.9

12

[quote=“irakla7777777”]first thanks david55 for your reply and help.

after hard work :smile: eyebeam 1.5 works fine with TLS/SRTP signaling and media encryption … both outgoing and incoming calls[/quote]

Hi,
I have the same prolem with you. Can u tell us how to fix this issue!
Thanks!

Ronaldo.