SRTP and directmedia

I have Asterisk 11.7.0 installed
The task is to make secure calls TLS+SRTP with direct RTP connections between phones.
I have read some how-to’s and manuals and managed to make encryption of SIP and RTP traffic working. All calls are successful without any problems.
But it seems SRTP streams are passing through asterisk, although directmedia=yes option is set in sip.conf
It is clearly seen in tcpdump and asterisk logs.
Besides, if I turn SRTP off using encryption=off directmedia becomes working properly. Tcpdump shows re-invite messages, which were not presented with SRTP enabled.
Is it normal behavior, or maybe I misunderstand something?


tlsenable=yes ; включить сигнализацию по TLS
tlsbindaddr= ; привязка TLS к адресу
bindaddress= ; привязка сервиса asterisk к адресу
tlscertfile=/etc/asterisk/keys/asterisk.pem ; путь к TLS сертификату сервера
tlscafile=/etc/asterisk/keys/ca.crt ; пусть к TLS CA сертификату
tlscipher=ALL ; тип TLS шифра
tlsclientmethod=tlsv1.0 ; версия TLS
maxexpirey=3600 ; максимальное время истечения регистрации 1ч
port=5060 ;стандартный порт

host=dynamic ; хост может менять адрес
disallow = all ; запрет всех кодеков
allow = alaw ; разрешить кодек G.711A
context=gm ; контекст канала
encryption=yes ; использовать SRTP
transport=tls ; использовать TLS для сигнализации




[local] ; базовый контекст местных номеров
exten => _**,1,Pickup(${EXTEN:2})
exten => _1XXX,1,Dial(SIP/${EXTEN})
exten => _1XXX,n,Hangup

include => local

I imagine that Asterisk doesn’t know how to forward the key exchange.

I suppose REINVITE message should help. In this case caller phone starts key exchange with phone being called. But tcpdump shows that just after setting encryption=yes asterisk stops sending re-invite messages. I have tried 11,12 and 1.8 versions, but the result is just the same.
I wonder is it normal behavior for asterisk or I misconfigured something. It’s hard to find answer in internet because every how-to is just about setting encryption and not about the way RTP flows.

I think it is as designed. You would probably need to examine the source code.

Probably I really need to. Although I dont even know where to start searching. I think I saw somewhere part of sourcecode with comment like “disable re-invite if SRTP enabled” or something like that.

Both Chrome and Firefox set “RTP/SAVPF” on m line in SDP and Asterisk doesn’t apply DTLS :frowning: (Asterisk expectations are “UDP/TLS/RTP/SAVPF”)