Configuring chan_sip with sdes

Hi, I’m using the chan_sip channel driver (no immediate option to move to pjsip at present) and am attempting to configure to use sdes srtp for secure media.

pjsip configuration has a media_encryption=sdes parameter used in pjsip.conf however I can’t see an equivalent in sip.conf. The closest I can find is encryption=yes which doesn’t provide the granularity needed.

Can anyone tell me if chan_sip supports sdes? And how is it configured?

“encryption=yes” is what enables SDES. DTLS support is a separate option in chan_sip.

Oh ok, I must have something else configured incorrectly.
If that’s the case, in the SDP part of an outgoing INVITE I was expecting to see a=crypto.... but it’s not there. I have encryption=yes set in the device configuration section.

Is the res_srtp module loaded? Have you confirmed that encryption is set on the specific peer using “sip show peer”?

Yes, srtp is loaded:

Module                         Description                              Use Count  Status      Support 
Level
res_srtp.so                    Secure RTP (SRTP)                        0          Running              core
1 modules loaded

and encryption shows enabled on the peer

sip show peer sip0
  * Name       : sip0
  Description  :
  Secret       : <Set>
  MD5Secret    : <Not set>
  Remote Secret: <Not set>
  Context      : incoming_calls
  ...
  ...
  Encryption   : Yes

That’s the only things that come to mind.

Sorry, my bad. I’d modified part of chan_sip.c in an attempt to add mediasec support. It seems to have conflicted. I removed my mods and can see crypto in the sdp.

There is already a patch adding MediaSec to Asterisk chan_sip. Did you use that?

@traud I have not seen the mediasec patch available for chan_sip. Can you point me towards it please?

Upps. No, it was for chan_pjsip …
However in chan_sip, you have the channel parameters secure_bridge_media and secure_bridge_signaling. Do those help? Alternatively, you can use a router with a B2BUA like AVM FRITZ!OS (since 07.20) or LANCOM LCOS (since ???) or Bintec-Elmeg. Then, you connect chan_sip to that, and that connects to Telekom Deutschland via MediaSec. Would love to look into your patch and help. However, I do not have an account with Telekom Deutschland right now.

Yes, I’d seen the chan_pjsip patch before. For various reasons pjsip isn’t preferable at the minute.
Have been able to get it working in the end as a bit of a hack for now but would like to see if I can create something more robust.

Do not worry too much. Just post it somewhere. I am sure it is a starting point for others.