Hi!
Lately i had some problems with Yeastar FXO and FXS gateways.
Yeastar supply FXO and FXS gateways under the TA series.
TA410 and TA810 are FXO gateways, while TA400 and TA800 are FXS gateways.
These gateways are based on asterisk, and they run asterisk version 1.6.2.6.
They should support SRTP & TLS, but unfortunatelly, I found that this feature (SRTP specifically) doesn’t work.
The problem
I connected the FXS to a SIP server and configured the FXS to register the SIP server with a SIP account.
Then, I configured the FXS and the SIP server to have a TLS transport layer (so the SIP packets are encrypted using TLS) and to support SRTP (encrypted voice packets).
The TLS works fine (I can see the TLS packets being sent between the FXS gateway and the SIP server), but the SRTP doesn’t work – there’s no voice packets being sent (so the call is silence).
After a few seconds - the call is ended.
The same happens also with the FXO gateway (TA410 / TA810).
The bugs
I found the bugs and have succeeded to solve them! so now my SRTP works. here are explanations and solutions for them:
There’s 2 different bugs - one to the FXS gateway and one to the FXO gateway.
FXS Gateway:
Like I explained before, the TA series uses asterisk 1.6.2.6. So the sip module is located under: /usr/bin/asterisk/modules/chan_sip.so.
This module handles the SDP session between the FXS and the SIP server.
SDP is a protocol above SIP that synchronize both sides about the RTP stream (for example - it decides about the codec, media type, rate, etc…).
This protocol also transfers the SRTP key.
The bug is in the SDP parsing logic inside the chan_sip.so module:
As you can see in the bottom highlighted line - there’s a comparison between s1 (which is the current field inside the SDP packet) and “crypto:” - this field holds the SRTP key that is exchanged between the FXS gateway and the SIP server.
few lines above it - in the first highlighted line - you can see there’s a comparison between s1 and another string - “sendrecv”. BUT - it branches the green path if s1 does NOT equal to “sendrecv”, so in case of our “crypto” field - we’ll take that branch and won’t reach the logic of parsing the “crypto” field.
The fixup - it’s very simple, all we have to do is patch this branch to be “BE” instead of “BNE” .
the patched chan_sip.so module (for firmware version 41.19.0.32) that fixes the bug is attached to the post.
All you have to do is upload this module to the asterisk module directory inside your TA (via scp - make sure SSH connection is enabled on your FXS TA gateway):
scp ./chan_sip.so root@<your TA ip>:/usr/lib/asterisk/modules/chan_sip.so
Then, reboot your TA - it should boot with the new chan_sip module.
Now you can configure the SRTP normally and it should work
FXO Gateway:
In the FXO Gateway (TA410 / TA810) the bug mentioned above doesn’t exist, but unfortunatelly there’s another bug that makes the SRTP to not work:
Yeastar generates asterisk’s configuration files (under /etc/asterisk directory) from their web interface.
The binary that is responsible for generating those files is /bin/mypbxconf.
Specifically, there’s a bug in generating the file: /etc/asterisk/extensions.conf.
In the extensions.conf, there’s a line that should determine if or not the current call should be encrypted using SRTP:
exten = 1-dial,35,Set(_SIPSRTP=${SIPPEER(${ARG${TCOUNT}},srtpcapable)})
The macro SIPPEER should get the peer name, and the name of a field inside it and it should return the fields value.
In our case - the requested field is ‘srtpcapable’ which means if or not the sip peer is capable of doing SRTP (this field can be configured from the web).
The problem is that ${ARG${TCOUNT}} does not hold the correct peer name, the correct peer name is hold under: ${CUT(${ARG${TCOUNT}},/,2)}.
So if we change the file ‘/bin/mypbxconf’ to generate the correct line - the bug is solved and the SRTP works.
The patched ‘/bin/mypbxconf’ file that fixes that problem is also attached to the post.
This patched file works for FXO gateway with Firmware version 41.19.0.25 (the latest version).
All you have to do is upload this file to the /persistent/bin directory inside your TA (via scp - make sure SSH connection is enabled on your FXO TA gateway):
scp ./mypbxconf root@<your TA ip>:/persistent/bin/mypbxconf
Then, reboot your TA - it should boot with the new mypbxconf file.
Now you can configure the SRTP normally and it should work 
The files:
chan_sip.so
mypbxconf