Is it really SRTP?

So i have an asterisk server with 2 endpoints(srtp enabled and forced), where i enabled TLS and SRTP.

here is my pjsip.conf:

[transport-tls]
type=transport
protocol=tls
bind=192.168.133.5:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes




;====================template
[endpoint-basic](!)
type=endpoint
context=phones
disallow=all
allow=alaw,ulaw,gsm
device_state_busy_at=1
direct_media=no
dtmf_mode=rfc4733
media_encryption=sdes
[auth-userpass](!)
type=auth
auth_type=userpass

[aor-single-reg](!)
type=aor
max_contacts=1
remove_existing=yes


;==============EXTENSION 37100
[37100](endpoint-basic)
transport=transport-tls
media_encryption=sdes
auth=auth37100
aors=37100

[auth37100](auth-userpass)
password=123
username=37100

[37100](aor-single-reg)
;==============EXTENSION 37200
[37200](endpoint-basic)
transport=transport-tls
media_encryption=sdes
auth=auth37200
aors=37200

[auth37200](auth-userpass)
password=123
username=37200

[37200](aor-single-reg)

i turned on the pjsip logger and here is the logs:

<--- Received SIP response (892 bytes) from TLS:192.168.133.157:34958 --->
SIP/2.0 200 Ok
Via: SIP/2.0/TLS 192.168.133.5:5061;rport;branch=z9hG4bKPj4134bf5e-3d42-4738-8ae2-2f06967c3f2b;alias
From: <sip:37100@192.168.133.5>;tag=2cecf382-7e3b-4f34-9ca5-909a99a4e745
To: <sip:37200@192.168.133.157>;tag=8P1ivMa
Call-ID: 950754b8-2f2f-4336-a1c1-ec0512ba979d
CSeq: 16477 INVITE
User-Agent: Linphonec/4.5.0
Supported: replaces, outbound, gruu
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, PRACK, UPDATE
Contact: <sip:37200@192.168.133.157:34958;transport=tls>;expires=59;+sip.instance="<urn:uuid:4a53b288-02f3-475e-a17b-8f82f1714eda>"
Content-Type: application/sdp
Content-Length: 237

v=0
o=37200 2711 868 IN IP4 192.168.133.157
s=Talk
c=IN IP4 192.168.133.157
t=0 0
m=audio 7078 RTP/SAVP 8 0 101
a=rtpmap:101 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:DTM1BJRIy0hqfgdU6045iURNGvwRaaNVGvYECwmo

    -- PJSIP/37200-00000003 answered PJSIP/37100-00000002
<--- Transmitting SIP request (421 bytes) to TLS:192.168.133.157:34958 --->
ACK sip:37200@192.168.133.157:34958;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.133.5:5061;rport;branch=z9hG4bKPj458ea785-7024-430f-9e7d-f5b844e593f8;alias
From: <sip:37100@192.168.133.5>;tag=2cecf382-7e3b-4f34-9ca5-909a99a4e745
To: <sip:37200@192.168.133.157>;tag=8P1ivMa
Call-ID: 950754b8-2f2f-4336-a1c1-ec0512ba979d
CSeq: 16477 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 18.0.0-rc2
Content-Length:  0


<--- Transmitting SIP response (907 bytes) to TLS:192.168.133.156:48742 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.133.156:48742;rport=48742;received=192.168.133.156;branch=z9hG4bK.eIwe1A15J
Call-ID: EPL7GVvONH
From: <sip:37100@192.168.133.5>;tag=y9NuKIo9b
To: <sip:37200@192.168.133.5>;tag=fa5be689-5bfa-47b2-9076-45710dc39f0d
CSeq: 21 INVITE
Server: Asterisk PBX 18.0.0-rc2
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REFER, MESSAGE
Contact: <sip:192.168.133.5:5061;transport=TLS>
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   335

v=0
o=- 754 1810 IN IP4 192.168.133.5
s=Asterisk
c=IN IP4 192.168.133.5
t=0 0
m=audio 11408 RTP/SAVP 8 0 100
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:3rwNGHjFbsD31dNU60RALuF+H4sd/2Y3Ez2iaw+i
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:100 telephone-event/8000
a=fmtp:100 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

    -- Channel PJSIP/37200-00000003 joined 'simple_bridge' basic-bridge <d6855e39-a841-408a-9ba9-eb8620ea90db>
    -- Channel PJSIP/37100-00000002 joined 'simple_bridge' basic-bridge <d6855e39-a841-408a-9ba9-eb8620ea90db>
<--- Received SIP request (624 bytes) from TLS:192.168.133.156:48742 --->
ACK sip:192.168.133.5:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.133.156:48742;rport;branch=z9hG4bK.y9KrqfUDw
From: <sip:37100@192.168.133.5>;tag=y9NuKIo9b
To: <sip:37200@192.168.133.5>;tag=fa5be689-5bfa-47b2-9076-45710dc39f0d
CSeq: 21 ACK
Call-ID: EPL7GVvONH
Max-Forwards: 70
Authorization:  Digest realm="asterisk", nonce="1649669085/767cf60176925c062272d55940f585ad", algorithm=md5, opaque="6e99b313543d99df", username="37100",  uri="sip:37200@192.168.133.5", response="70edfdea070415550e726e556056a497", cnonce="pkhqxhtKqyWirw67", nc=00000001, qop=auth
User-Agent: Linphonec/4.5.0
Content-Length: 0

it showed that the two endpoints negotiated in the sdp session the key and both agreed on it.
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:3rwNGHjFbsD31dNU60RALuF+H4sd/2Y3Ez2iaw+i

this suggests that the rtp session is encrypted!
BUT, i put a mirroring switch in between the endpoints and the sever and here is what i captured in the wireshark:

as for TLS:

it shows that it is using TLS and the session is encrypted!

For RTP, here is what i got:

protocol is udp and the data are not encrypted!

what is the issue?

There is no issue. RTP is still sent using UDP, except with the payload encrypted. You can still examine the header portion of it.

thanks for your reply.

so that is only the header and not the payload?
how could i check for the payload then? just to see it being encrytpted.

I’m not sure what you’re talking about. The wireshark capture shows the packets. If you want to decode them as RTP you right click and tell it to decode as RTP, after which you could try playing it back in Wireshark and likely hear noise.

1 Like

Wireshark can tell that the TCP stream is encrypted, because it can see the clear text initial handshakes for TLS, and it can follow the TCP stream to infer that following data is encrypted. It can’t tell that the UDP is encrypted, because the only thing that tells it that it is even RTP is the SDP, but it can’t decipher that, because it is encrypted by the TLS.

There is nothing in TCP or UDP and lower layers to indicate that there is encryption. The RTP just looks like UDP of an unknown format.

1 Like

i played the rtp stream as jcolp said and it was all noise.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.