DTLS connection problem

I have kind a weird problem with encrypting Asterisk connections. When I am using media_encryption = sdes, everything is working fine and I can establish connection with sound. On the other hand, when i switch media_encryption to dtls and try to make connection, Asterisk CLI with “rtp set debug on” returns:

[Aug 11 10:24:10] ERROR[43303][C-00000001]: res_rtp_asterisk.c:3078 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7fb1100674e0' due to reason 'unsupported protocol', terminating
[Aug 11 10:24:10] WARNING[43303][C-00000001]: res_rtp_asterisk.c:6511 ast_rtcp_read: RTCP Read error: Unspecified.  Hanging up.

endpoint configuration:

 ParameterName                      : ParameterValue
 =========================================================================================================
 100rel                             : yes
 accept_multiple_sdp_answers        : false
 accountcode                        :
 acl                                :
 aggregate_mwi                      : true
 allow                              : (ulaw)
 allow_overlap                      : true
 allow_subscribe                    : true
 allow_transfer                     : true
 aors                               : sec_bob
 asymmetric_rtp_codec               : false
 auth                               : sec_bob
 bind_rtp_to_media_address          : false
 bundle                             : false
 call_group                         :
 callerid                           : <unknown>
 callerid_privacy                   : allowed_not_screened
 callerid_tag                       :
 connected_line_method              : invite
 contact_acl                        :
 context                            : sec_call
 cos_audio                          : 0
 cos_video                          : 0
 device_state_busy_at               : 0
 direct_media                       : false
 direct_media_glare_mitigation      : none
 direct_media_method                : invite
 disable_direct_media_on_nat        : false
 dtls_auto_generate_cert            : No
 dtls_ca_file                       : /usr/src/asterisk/keys/myCA.pem
 dtls_ca_path                       :
 dtls_cert_file                     : /usr/src/asterisk/keys/asterisk.crt
 dtls_cipher                        :
 dtls_fingerprint                   : SHA-256
 dtls_private_key                   : /usr/src/asterisk/keys/asterisk.key
 dtls_rekey                         : 0
 dtls_setup                         : actpass
 dtls_verify                        : No
 dtmf_mode                          : rfc4733
 fax_detect                         : false
 fax_detect_timeout                 : 0
 follow_early_media_fork            : true
 force_avp                          : false
 force_rport                        : true
 from_domain                        :
 from_user                          :
 g726_non_standard                  : false
 ice_support                        : true
 identify_by                        : username,ip
 ignore_183_without_sdp             : false
 inband_progress                    : false
 incoming_answer_codec_prefs        : prefer:pending, operation:intersect, keep:all, transcode:unspecified
 incoming_call_offer_pref           : local
 incoming_mwi_mailbox               :
 incoming_offer_codec_prefs         : prefer:pending, operation:intersect, keep:all, transcode:allow
 language                           :
 mailboxes                          :
 max_audio_streams                  : 1
 max_video_streams                  : 1
 media_address                      :
 media_encryption                   : dtls
 media_encryption_optimistic        : false
 media_use_received_transport       : true
 message_context                    :
 moh_passthrough                    : false
 moh_suggest                        : default
 mwi_from_user                      :
 mwi_subscribe_replaces_unsolicited : no
 named_call_group                   :
 named_pickup_group                 :
 notify_early_inuse_ringing         : false
 one_touch_recording                : false
 outbound_auth                      :
 outbound_proxy                     :
 outgoing_answer_codec_prefs        : prefer:pending, operation:intersect, keep:all, transcode:unspecified
 outgoing_call_offer_pref           : remote
 outgoing_offer_codec_prefs         : prefer:pending, operation:union, keep:all, transcode:allow
 pickup_group                       :
 preferred_codec_only               : false
 record_off_feature                 : automixmon
 record_on_feature                  : automixmon
 refer_blind_progress               : true
 rewrite_contact                    : true
 rpid_immediate                     : false
 rtcp_mux                           : true
 rtp_engine                         : asterisk
 rtp_ipv6                           : false
 rtp_keepalive                      : 0
 rtp_symmetric                      : false
 rtp_timeout                        : 0
 rtp_timeout_hold                   : 0
 sdp_owner                          : -
 sdp_session                        : Asterisk
 send_connected_line                : yes
 send_diversion                     : true
 send_pai                           : false
 send_rpid                          : false
 set_var                            :
 srtp_tag_32                        : false
 stir_shaken                        : false
 sub_min_expiry                     : 0
 subscribe_context                  :
 suppress_q850_reason_headers       : false
 t38_udptl                          : false
 t38_udptl_ec                       : none
 t38_udptl_ipv6                     : false
 t38_udptl_maxdatagram              : 0
 t38_udptl_nat                      : false
 timers                             : yes
 timers_min_se                      : 90
 timers_sess_expires                : 1800
 tone_zone                          :
 tos_audio                          : 0
 tos_video                          : 0
 transport                          : transport-tls
 trust_connected_line               : yes
 trust_id_inbound                   : false
 trust_id_outbound                  : false
 use_avpf                           : true
 use_ptime                          : false
 user_eq_phone                      : false
 voicemail_extension                :
 webrtc                             : no

transport config:

 ParameterName              : ParameterValue
 ================================================================
 allow_reload               : false
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               :
 ca_list_path               :
 cert_file                  : /usr/src/asterisk/keys/asterisk.crt
 cipher                     :
 cos                        : 0
 domain                     :
 external_media_address     :
 external_signaling_address :
 external_signaling_port    : 0
 local_net                  :
 method                     : tlsv1_2
 password                   :
 priv_key_file              : /usr/src/asterisk/keys/asterisk.key
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 0
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

DTLS-sRTP is complicated without network-packet traces. First of all, please, use method=sslv23 for your SIP-over-TLS transport as explained in this post. Then, please, elaborate a bit more about your setup: Do you try to connect two Digium Asterisk via DTLS-sRTP, or a specific VoIP service, or a specific client?

So, I am using just one Asterisk instance (cloned from asterisk GitHub about 2 weeks ago, probably version 17.01) on Ubuntu server 20.04, and what i basically want to achieve, is connection between two Jitsi soft-phones. There are two corresponding and identical endpoints sec_alice and sec_bob in my database with configuration that i have uploaded in my first post.
After swapping protocol to sslv23 same error have occured. I don’t know if this is problem with my certificates or dtls configuration, because there are little information how to configure this setup.
Reason why I am doing this is unencrypted RTCP packets, that I saw in wireshark while I was using SDES. So I just want to try, whether DTLS can encrypt whole connection. But this is still unclear to me, why asterisk is not encrypting RTCP to SRTCP.

Although the master branch is tested and should work, please, go for a stable release like Asterisk 16 LTS or Asterisk 17. That make it easier, to reproduce your issue. Second problem: Why do you want to use DTLS-sRTP at all; and not just SDES-sRTP? Third problem, to reproduce your issue: Which version of Jitsi Desktop do you use on which platform?

Why do you want to use DTLS-sRTP

as i mentioned i want to check whether DTLS-sRTP will encrypt my connection including RTCP packets

Which version of Jitsi Desktop do you use on which platform?

2.10.5550

Which platform … Jitsi Desktop is very different depending on the underlying platform.

Using DTLS-sRTP just because of RTCP is not the approach I recommend. If you do not need RTCP, you can disable it. If you need it and you want to have it encrypted, I recommend to create an issue report. In chan_sip, RTCP was encrypted. I have not check chan_pjsip recently, whether this is a new feature or a bug. Recent libSRTP version introduced an incompatibility when it comes to RTCP.

To answer your question, I do not know either. Sounds like an issue with the DTLS version itself. However, it could be everything including your NAT and ICE setup. One approach is to reproduce your issue here and then think about which pitfall you might have trapped into.

Which platform … Jitsi Desktop is very different depending on the underlying platform.

Windows 10 on both

If you do not need RTCP, you can disable it.

How can I do that?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.