SRTCP unprotect failed because of unable to perform desired validation

hi, I am running Asterisk 13.18.5 (freepbx 14) with libsrtp 1.6. i am getting this error on the asterisk console every 5 sec of a call in progress. I have done quite a bit of googling but all the hits seem to be years old.

SRTCP unprotect failed because of unable to perform desired validation

can someone give me some help on where to start, what debugging should i try that might lead me to the issue? I am using sip-tls and srtp.

thanks in advance.

The nearest I can find to that message has this description:

if (res != err_status_ok && res != err_status_replay_fail ) {
		/*
		 * Authentication failures happen when an active attacker tries to
		 * insert malicious RTP packets. Furthermore, authentication failures
		 * happen, when the other party encrypts the sRTP data in an unexpected
		 * way. This happens quite often with RTCP. Therefore, when you see
		 * authentication failures, try to identify the implementation
		 * (author and product name) used by your other party. Try to investigate
		 * whether they use a custom library or an outdated version of libSRTP.
		 */
		if (rtcp) {
			ast_verb(2, "SRTCP unprotect failed on SSRC %u because of %s\n",
				ast_rtp_instance_get_ssrc(srtp->rtp), srtp_errstr(res));

The specific, “unable to perform desired validation”, diagnostic is a result of a cant_check error from the, presumably third party, lib_srtp implementation.

1 Like

I don’t understand why it is doing it, and have only skimmed the code, but it looks like lib_srtp tries to test the specific encryptor (presumably from a different third party) to be used against hard code test data, and will fail with that error if there is no test data (presumably the encryption parameters are unsupported), or the self test fails.

1 Like

hi, sorry it has been such a long time. I am now on asterisk 13.22.0 and i still get these messages approx every 5 seconds while a call is active (for each call session).

does anyone have any ideas about why this happens?
thanks

== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation
== SRTCP unprotect failed because of unable to perform desired validation

As the comment states in the source code, please, post your remote implementation(s). The SDES-sRTP keys are exchanged via SIP/SDP within each call. No further, external entity involved. Nevertheless, there are several sRTP implementations out there which do not encode their sRTCP as well or as expected. In such a case, the authentication or the encryption fails. Therefore, to investigate and reproduce your issue, the remote implementation must be known (product name and version).

hi, the remote end of the implementation are grandstream 2130 sip phones. not sure if that helps or not.

No, that does not help. Is it a Grandstream GXP2130; which firmware version?

sorry for being vague, Grandstream gxp2130 firmware 1.0.9.63. i know this is not current, i am working towards upgrading to current but it might take a while

thanks

Mhm. That firmware is more than two years old. Since then, libSRTP had several changes when it comes to sRTCP. Can’t you upgrade one of your phones just for testing? By the way, on your Asterisk, can you upgrade to libSRTP 2.x and double-check again?

Hi, I can’t really update, i use freepbx, the libsrtp comes rolled in, i think i will break something if i do.

You need to ask on https://community.freepbx.org/