i followed the secure calling tutorial in asterisk wiki in order to achieve tls with sdes encryption. so i was able to generate keys and certificates.
then i configured tls and endpoints in pjsip.conf:

[transport-tls1]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[44301]
type = endpoint
context = phones
disallow = all
allow = ulaw,alaw,gsm
aors = 44301
auth = auth44301
device_state_busy_at=1
direct_media=no
media_encryption=sdes
dtmf_mode=rfc4733
[44301]
type = aor
max_contacts = 1
remove_existing=yes

[auth44301]
type=auth
auth_type=userpass
password=123
username=44301

and the other endpoint 44302 is similar.
**anyway i used blink softphone then i configured TLS with port and added certificates ca.crt and client.pem **
i was able to register the endpoints
i made a call without setting sdes in blink and i remove encryption_mode from pjsip
then the call worked fine
**then i set encryption as sdes in blink and re-added encryption_mode=sdes **
but when i make a call it always says 488 not acceptable and here is the logs:

<— Received SIP request (1121 bytes) from TLS:192.168.133.146:51070 —>
INVITE sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30160 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Content-Type: application/sdp
Content-Length: 517

v=0
o=- 3794895279 3794895279 IN IP4 192.168.133.146
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50020 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.146
a=rtcp:50021
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6pwzMoqu8vvwq/KRXenf7Gi4V4qZ+1bLD4zkKGqU
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:w16aghr3DEkGl6Blt+C60VLoUiIrdqTdA6hpToje
a=sendrecv

<— Transmitting SIP response (591 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=z9hG4bKPje43b2e854153439f9b6dde0b452c6711
CSeq: 30160 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1585895680/ea9aac9606c630b71bd4153b77e78525”,opaque=“33cd922350d34520”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Received SIP request (434 bytes) from TLS:192.168.133.146:51070 —>
ACK sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=z9hG4bKPje43b2e854153439f9b6dde0b452c6711
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30160 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

<— Received SIP request (1418 bytes) from TLS:192.168.133.146:51070 —>
INVITE sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30161 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“44301”, realm=“asterisk”, nonce=“1585895680/ea9aac9606c630b71bd4153b77e78525”, uri="sip:44302@192.168.133.222", response=“3e33f0f09be2b651b1da4b4b7116d6f9”, algorithm=md5, cnonce=“09c015dab2db45dbb9ffc429cd98efdd”, opaque=“33cd922350d34520”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 517

v=0
o=- 3794895279 3794895279 IN IP4 192.168.133.146
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50020 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.146
a=rtcp:50021
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6pwzMoqu8vvwq/KRXenf7Gi4V4qZ+1bLD4zkKGqU
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:w16aghr3DEkGl6Blt+C60VLoUiIrdqTdA6hpToje
a=sendrecv

== Setting global variable ‘SIPDOMAIN’ to ‘192.168.133.222’
<— Transmitting SIP response (393 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
CSeq: 30161 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Transmitting SIP response (447 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=c33ba276-2cd9-43cc-9c51-ee7fbb6e47cd
CSeq: 30161 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Received SIP request (429 bytes) from TLS:192.168.133.146:51070 —>
ACK sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=c33ba276-2cd9-43cc-9c51-ee7fbb6e47cd
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30161 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

**and one more thing: **

there is always a subscribe signal which i dont understand why it is sent and it is not being authorized :

<— Received SIP request (699 bytes) from TLS:192.168.133.146:51070 —>
SUBSCRIBE sip:44301@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
CSeq: 11021 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

<— Transmitting SIP response (594 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506;alias
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222;tag=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506
CSeq: 11021 SUBSCRIBE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1585895629/259f5f63ba466b1b169fa1e040a048a1”,opaque=“7096d73218097dde”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Received SIP request (996 bytes) from TLS:192.168.133.146:51070 —>
SUBSCRIBE sip:44301@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
CSeq: 11022 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“44301”, realm=“asterisk”, nonce=“1585895629/259f5f63ba466b1b169fa1e040a048a1”, uri="sip:44301@192.168.133.222", response=“9075b5eb08dc988b40de27bead8195c2”, algorithm=md5, cnonce=“e4a08bb680d94baa88d805220f46ca1b”, opaque=“7096d73218097dde”, qop=auth, nc=00000001
Content-Length: 0

<— Transmitting SIP response (445 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d;alias
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222;tag=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d
CSeq: 11022 SUBSCRIBE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

i only posted for one endpoint which is 44301 but both are making the same subscribe method and eventually it says not found

Have you confirmed the configuration is as you said in Asterisk using “pjsip show endpoint 44301”?

As well the SUBSCRIBE is subscribing to get message waiting indication information. You don’t have any mailboxes configured, so it gets told that the mailbox wasn’t found.

well first of all thanks for replying.
now yes this is how i configured 44301:
[44301]
type = endpoint
context = phones
disallow = all
allow = ulaw,alaw,gsm
aors = 44301
auth = auth44301
device_state_busy_at=1
direct_media=no
media_encryption=sdes
dtmf_mode=rfc4733
[44301]
type = aor
max_contacts = 1
remove_existing=yes

[auth44301]
type=auth
auth_type=userpass
password=123
username=44301

and this is what you asked for :
Endpoint: 44301 Not in use 0 of 1
InAuth: auth44301/44301
Aor: 44301 1
Contact: 44301/sip:73219854@192.168.133.146:49717;t cfaaff26fd NonQual nan

ParameterName : ParameterValue

100rel : yes
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (ulaw|alaw|gsm)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : 44301
asymmetric_rtp_codec : false
auth : auth44301
bind_rtp_to_media_address : false
bundle : false
call_group :
callerid :
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : phones
cos_audio : 0
cos_video : 0
device_state_busy_at : 1
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_auto_generate_cert : No
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : false
identify_by : username,ip
ignore_183_without_sdp : false
inband_progress : false
incoming_mwi_mailbox :
language :
mailboxes :
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : sdes
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_passthrough : false
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group :
named_pickup_group :
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : false
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : false
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_connected_line : yes
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport :
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : no

thanks in advance

Do you have the res_srtp module loaded? Was Asterisk built with SRTP support?

m sorry but how could i check if it is loaded ?

“module show like srtp” on the Asterisk console will show a list of any modules that are loaded with “srtp” in their name.

oh no it is not there !!!
i ve been trying for days with this and it did not work out ! now i know why it did not !
i am so grateful Mr. jcolp
but now how could i loaded ? in steps please since i am a newbie

thanks in advance

If the module exists then “module load res_srtp.so” would load it. If it does not exist then you would need to install the libsrtp development package on your system and rebuild Asterisk after re-running configure.

so first i need to install libsrtp0-dev
then i have to fo to asterisk directory and
make distclean
./configure
make
make install
make menuselect … and check if it is there in channel drivers and mark it to be loaded ?
or i could load it from console later on !
are these the correct steps ?

It would appear in the Resource Modules list, but yes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.