Srtp error ON LINPHONE

sami-hep · April 16, 2020, 10:21am

recently i configured my blink softphones and made a call with sdes mandatory … where it says that tls is secure and media is encrypted.

whereas , i tried doing same thing with linphones with registered and was authenticated but there was no sdes option in media_encryption in linphone config so i replaced it with srtp which is believe is the same.
but when i made the call, asterisk keeps saying it is not encrypted.
== SRTCP unprotect failed on SSRC 110424577 because of authentication failure

there are the logs of linphones (37303 —>37400) which failed:

<— Received SIP request (1476 bytes) from TLS:192.168.133.10:37094 —>
INVITE sip:37400@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.10:37094;branch=z9hG4bK.OHknhTIxF;rport
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111
CSeq: 20 INVITE
Call-ID: XUMti1MEEY
Max-Forwards: 70
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Content-Type: application/sdp
Content-Length: 883
Contact: sip:37303@192.168.133.10:37094;transport=tls;+sip.instance=“urn:uuid:4a53b288-02f3-475e-a17b-8f82f1714eda”
User-Agent: Linphonec/3.12.0 (belle-sip/1.6.3)

v=0
o=37303 4045 3636 IN IP4 192.168.133.10
s=Talk
c=IN IP4 192.168.133.10
t=0 0
a=rtcp-xr:rcvr-rtt=all:10000 stat-summary=loss,dup,jitt,TTL voip-metrics
m=audio 7078 RTP/SAVP 96 97 98 0 8 101 99 100
a=rtpmap:96 opus/48000/2
a=fmtp:96 useinbandfec=1
a=rtpmap:97 speex/16000
a=fmtp:97 vbr=on
a=rtpmap:98 speex/8000
a=fmtp:98 vbr=on
a=rtpmap:101 telephone-event/48000
a=rtpmap:99 telephone-event/16000
a=rtpmap:100 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:d76vYkcjaYMCERNM90C/sa9ss5hKrxbNpmQZEdxe
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:O4lohyBOeGbaB4N6BgYHsdfllKouvJwAbMllGDxa
a=crypto:3 AES_256_CM_HMAC_SHA1_80 inline:PRODxi2P0AvtMYekgh6eFnQcbbC8XTT/T927GZwnTF6GtfxaLib+iu3UBenWjw==
a=crypto:4 AES_256_CM_HMAC_SHA1_32 inline:RhySvlwNGYTroHRcWDPhy69IQGBt3oUbQh80P3kxLIwGacVY4zH76/1ZjIi0EQ==
a=rtcp-fb:* trr-int 5000
a=rtcp-fb:* ccm tmmbr

<— Transmitting SIP response (479 bytes) to TLS:192.168.133.10:37094 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.10:37094;rport=37094;received=192.168.133.10;branch=z9hG4bK.OHknhTIxF
Call-ID: XUMti1MEEY
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111;tag=z9hG4bK.OHknhTIxF
CSeq: 20 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1587032106/479499b905472cf5ccafc278012d418b”,opaque=“0c873bda0452c75c”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Received SIP request (408 bytes) from TLS:192.168.133.10:37094 —>
ACK sip:37400@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.10:37094;branch=z9hG4bK.OHknhTIxF;rport
Call-ID: XUMti1MEEY
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111;tag=z9hG4bK.OHknhTIxF
Contact: sip:37303@192.168.133.10:37094;transport=tls;+sip.instance=“urn:uuid:4a53b288-02f3-475e-a17b-8f82f1714eda”
Max-Forwards: 70
CSeq: 20 ACK
Content-Length: 0

<— Received SIP request (1759 bytes) from TLS:192.168.133.10:37094 —>
INVITE sip:37400@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.10:37094;branch=z9hG4bK.xKxsrH7xt;rport
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111
CSeq: 21 INVITE
Call-ID: XUMti1MEEY
Max-Forwards: 70
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Content-Type: application/sdp
Content-Length: 883
Contact: sip:37303@192.168.133.10:37094;transport=tls;+sip.instance=“urn:uuid:4a53b288-02f3-475e-a17b-8f82f1714eda”
User-Agent: Linphonec/3.12.0 (belle-sip/1.6.3)
Authorization: Digest realm=“asterisk”, nonce=“1587032106/479499b905472cf5ccafc278012d418b”, algorithm=md5, opaque=“0c873bda0452c75c”, username=“37303”, uri="sip:37400@192.168.133.111", response=“8314fdc86cd590752a1b0c02c5026f20”, cnonce=“7e0fxYT-L9h5OR1i”, nc=00000001, qop=auth

v=0
o=37303 4045 3636 IN IP4 192.168.133.10
s=Talk
c=IN IP4 192.168.133.10
t=0 0
a=rtcp-xr:rcvr-rtt=all:10000 stat-summary=loss,dup,jitt,TTL voip-metrics
m=audio 7078 RTP/SAVP 96 97 98 0 8 101 99 100
a=rtpmap:96 opus/48000/2
a=fmtp:96 useinbandfec=1
a=rtpmap:97 speex/16000
a=fmtp:97 vbr=on
a=rtpmap:98 speex/8000
a=fmtp:98 vbr=on
a=rtpmap:101 telephone-event/48000
a=rtpmap:99 telephone-event/16000
a=rtpmap:100 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:d76vYkcjaYMCERNM90C/sa9ss5hKrxbNpmQZEdxe
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:O4lohyBOeGbaB4N6BgYHsdfllKouvJwAbMllGDxa
a=crypto:3 AES_256_CM_HMAC_SHA1_80 inline:PRODxi2P0AvtMYekgh6eFnQcbbC8XTT/T927GZwnTF6GtfxaLib+iu3UBenWjw==
a=crypto:4 AES_256_CM_HMAC_SHA1_32 inline:RhySvlwNGYTroHRcWDPhy69IQGBt3oUbQh80P3kxLIwGacVY4zH76/1ZjIi0EQ==
a=rtcp-fb:* trr-int 5000
a=rtcp-fb:* ccm tmmbr

== Setting global variable ‘SIPDOMAIN’ to ‘192.168.133.111’
<— Transmitting SIP response (305 bytes) to TLS:192.168.133.10:37094 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.10:37094;rport=37094;received=192.168.133.10;branch=z9hG4bK.xKxsrH7xt
Call-ID: XUMti1MEEY
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111
CSeq: 21 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

-- Executing [37400@phones:1] NoOp("PJSIP/37303-00000012", "37400") in new stack
-- Executing [37400@phones:2] GotoIf("PJSIP/37303-00000012", "0?not-found,1:") in new stack
-- Executing [37400@phones:3] GotoIf("PJSIP/37303-00000012", "0?not-found,1:") in new stack
-- Executing [37400@phones:4] NoOp("PJSIP/37303-00000012", "PJSIP/ has status 1 : INVALID") in new stack
-- Executing [37400@phones:5] NoOp("PJSIP/37303-00000012", "NOT_INUSE") in new stack
-- Executing [37400@phones:6] GotoIf("PJSIP/37303-00000012", "1?DevAva:") in new stack
-- Goto (phones,37400,9)
-- Executing [37400@phones:9] Dial("PJSIP/37303-00000012", "PJSIP/37400/sip:37400@192.168.133.9:50894;transport=tls,25") in new stack
-- Called PJSIP/37400/sip:37400@192.168.133.9:50894;transport=tls

<— Transmitting SIP request (1084 bytes) to TLS:192.168.133.9:50894 —>
INVITE sip:37400@192.168.133.9:50894;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj2b23e9b9-bfe2-4818-ae84-226f94071c66;alias
From: sip:37303@192.168.133.111;tag=c4b4a675-05c4-4352-879c-7fed376f2f55
To: sip:37400@192.168.133.9
Contact: sip:asterisk@192.168.133.111:5061;transport=TLS
Call-ID: 2b4969cd-9f86-4ba3-8003-95321ba513af
CSeq: 26033 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX certified/16.3-cert1
Content-Type: application/sdp
Content-Length: 371

v=0
o=- 85067291 85067291 IN IP4 192.168.133.111
s=Asterisk
c=IN IP4 192.168.133.111
t=0 0
m=audio 14976 RTP/SAVP 8 0 3 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:A4GefYZXkXS64z/7y9wR0/Z61Hih3CvTrt1ni2zM
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP response (317 bytes) from TLS:192.168.133.9:50894 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj2b23e9b9-bfe2-4818-ae84-226f94071c66;alias
From: sip:37303@192.168.133.111;tag=c4b4a675-05c4-4352-879c-7fed376f2f55
To: sip:37400@192.168.133.9
Call-ID: 2b4969cd-9f86-4ba3-8003-95321ba513af
CSeq: 26033 INVITE
Content-Length: 0

<— Received SIP response (411 bytes) from TLS:192.168.133.9:50894 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj2b23e9b9-bfe2-4818-ae84-226f94071c66;alias
From: sip:37303@192.168.133.111;tag=c4b4a675-05c4-4352-879c-7fed376f2f55
To: sip:37400@192.168.133.9;tag=~6pbtJr
Call-ID: 2b4969cd-9f86-4ba3-8003-95321ba513af
CSeq: 26033 INVITE
User-Agent: Linphonec/3.12.0 (belle-sip/1.6.3)
Supported: replaces, outbound
Content-Length: 0

-- PJSIP/37400-00000013 is ringing
-- PJSIP/37400-00000013 is ringing

<— Transmitting SIP response (509 bytes) to TLS:192.168.133.10:37094 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.133.10:37094;rport=37094;received=192.168.133.10;branch=z9hG4bK.xKxsrH7xt
Call-ID: XUMti1MEEY
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111;tag=b9c4b565-230c-4a38-9b8f-a5b0ebd3c3b5
CSeq: 21 INVITE
Server: Asterisk PBX certified/16.3-cert1
Contact: sip:192.168.133.111:5061;transport=TLS
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Content-Length: 0

<— Received SIP response (884 bytes) from TLS:192.168.133.9:50894 —>
SIP/2.0 200 Ok
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj2b23e9b9-bfe2-4818-ae84-226f94071c66;alias
From: sip:37303@192.168.133.111;tag=c4b4a675-05c4-4352-879c-7fed376f2f55
To: sip:37400@192.168.133.9;tag=~6pbtJr
Call-ID: 2b4969cd-9f86-4ba3-8003-95321ba513af
CSeq: 26033 INVITE
User-Agent: Linphonec/3.12.0 (belle-sip/1.6.3)
Supported: replaces, outbound
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE
Contact: sip:37400@192.168.133.9:50894;transport=tls;+sip.instance=“urn:uuid:313ef843-7fe8-43c9-88d4-20fac982aeb6”
Content-Type: application/sdp
Content-Length: 234

v=0
o=37400 3499 2371 IN IP4 192.168.133.9
s=Talk
c=IN IP4 192.168.133.9
t=0 0
m=audio 7078 RTP/SAVP 8 0 101
a=rtpmap:101 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:QKRatBlhiu1qJtpdcmT4IBFTGM+Gh3ILmtcWMNso

<— Transmitting SIP request (431 bytes) to TLS:192.168.133.9:50894 —>
ACK sip:37400@192.168.133.9:50894;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj7e843120-4211-4786-83c1-a9fe88403201;alias
From: sip:37303@192.168.133.111;tag=c4b4a675-05c4-4352-879c-7fed376f2f55
To: sip:37400@192.168.133.9;tag=~6pbtJr
Call-ID: 2b4969cd-9f86-4ba3-8003-95321ba513af
CSeq: 26033 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX certified/16.3-cert1
Content-Length: 0

-- PJSIP/37400-00000013 answered PJSIP/37303-00000012

<— Transmitting SIP response (926 bytes) to TLS:192.168.133.10:37094 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.133.10:37094;rport=37094;received=192.168.133.10;branch=z9hG4bK.xKxsrH7xt
Call-ID: XUMti1MEEY
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111;tag=b9c4b565-230c-4a38-9b8f-a5b0ebd3c3b5
CSeq: 21 INVITE
Server: Asterisk PBX certified/16.3-cert1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.133.111:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 340

v=0
o=- 4045 3638 IN IP4 192.168.133.111
s=Asterisk
c=IN IP4 192.168.133.111
t=0 0
m=audio 12240 RTP/SAVP 8 0 100
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Z43dVuDeVKccYTZGrP4c5lKIPDrcZfGrxGE/H4eP
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:100 telephone-event/8000
a=fmtp:100 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

-- Channel PJSIP/37400-00000013 joined 'simple_bridge' basic-bridge <b014b3db-c994-4c38-952f-4a20adee61f9>
-- Channel PJSIP/37303-00000012 joined 'simple_bridge' basic-bridge <b014b3db-c994-4c38-952f-4a20adee61f9>

<— Received SIP request (650 bytes) from TLS:192.168.133.10:37094 —>
ACK sip:192.168.133.111:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.133.10:37094;rport;branch=z9hG4bK.oZEeVLTe1
From: sip:37303@192.168.133.111;tag=pNAxnd7SB
To: sip:37400@192.168.133.111;tag=b9c4b565-230c-4a38-9b8f-a5b0ebd3c3b5
CSeq: 21 ACK
Call-ID: XUMti1MEEY
Max-Forwards: 70
Authorization: Digest realm=“asterisk”, nonce=“1587032106/479499b905472cf5ccafc278012d418b”, algorithm=md5, opaque=“0c873bda0452c75c”, username=“37303”, uri="sip:37400@192.168.133.111", response=“8314fdc86cd590752a1b0c02c5026f20”, cnonce=“7e0fxYT-L9h5OR1i”, nc=00000001, qop=auth
User-Agent: Linphonec/3.12.0 (belle-sip/1.6.3)
Content-Length: 0

== SRTCP unprotect failed on SSRC 1913874704 because of authentication failure
** == SRTCP unprotect failed on SSRC 761737538 because of authentication failure**
** == SRTCP unprotect failed on SSRC 1913874704 because of authentication failure**

and these are the logs of the blink softphones (37301—> 37302) which succeeded :

<— Received SIP request (1129 bytes) from TLS:192.168.133.111:34631 —>
INVITE sip:37302@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:34631;rport;branch=z9hG4bKPjafb04f34-ef1b-4c05-b5ae-7a39acdd521a;alias
Max-Forwards: 70
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111
Contact: sip:30471698@192.168.133.111:35487;transport=tls
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
CSeq: 12895 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.1 (Linux)
Content-Type: application/sdp
Content-Length: 515

v=0
o=- 3796021076 3796021076 IN IP4 192.168.133.111
s=Blink 3.2.1 (Linux)
t=0 0
m=audio 50006 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.111
a=rtcp:50007
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:fA3pP0fWG45nZKspz8XxO0yHKoJb5dF02U+aoUlj
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:FizOMt7QunebDiNAtSe9YiOroQ4vwHx/cDdN/moF
a=sendrecv

<— Transmitting SIP response (607 bytes) to TLS:192.168.133.111:34631 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.111:34631;rport=34631;received=192.168.133.111;branch=z9hG4bKPjafb04f34-ef1b-4c05-b5ae-7a39acdd521a;alias
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111;tag=z9hG4bKPjafb04f34-ef1b-4c05-b5ae-7a39acdd521a
CSeq: 12895 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1587032276/174c2bbd20d9363a8838c4dbb5b92947”,opaque=“6117a2842480ed7e”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

<— Received SIP request (448 bytes) from TLS:192.168.133.111:34631 —>
ACK sip:37302@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:34631;rport;branch=z9hG4bKPjafb04f34-ef1b-4c05-b5ae-7a39acdd521a;alias
Max-Forwards: 70
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111;tag=z9hG4bKPjafb04f34-ef1b-4c05-b5ae-7a39acdd521a
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
CSeq: 12895 ACK
User-Agent: Blink 3.2.1 (Linux)
Content-Length: 0

<— Received SIP request (1430 bytes) from TLS:192.168.133.111:34631 —>
INVITE sip:37302@192.168.133.111 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:34631;rport;branch=z9hG4bKPj33b75acd-2a1a-4c41-a16a-84323a31a297;alias
Max-Forwards: 70
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111
Contact: sip:30471698@192.168.133.111:35487;transport=tls
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
CSeq: 12896 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.1 (Linux)
Authorization: Digest username=“37301”, realm=“asterisk”, nonce=“1587032276/174c2bbd20d9363a8838c4dbb5b92947”, uri="sip:37302@192.168.133.111", response=“31bdf0130698b7594f83cfdce13fd9e3”, algorithm=md5, cnonce=“24feb956-2400-4969-8e56-2103aae5fcc7”, opaque=“6117a2842480ed7e”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 515

v=0
o=- 3796021076 3796021076 IN IP4 192.168.133.111
s=Blink 3.2.1 (Linux)
t=0 0
m=audio 50006 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.111
a=rtcp:50007
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:fA3pP0fWG45nZKspz8XxO0yHKoJb5dF02U+aoUlj
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:FizOMt7QunebDiNAtSe9YiOroQ4vwHx/cDdN/moF
a=sendrecv

== Setting global variable ‘SIPDOMAIN’ to ‘192.168.133.111’
<— Transmitting SIP response (405 bytes) to TLS:192.168.133.111:34631 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.111:34631;rport=34631;received=192.168.133.111;branch=z9hG4bKPj33b75acd-2a1a-4c41-a16a-84323a31a297;alias
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111
CSeq: 12896 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0

-- Executing [37302@phones:1] NoOp("PJSIP/37301-00000014", "37302") in new stack
-- Executing [37302@phones:2] GotoIf("PJSIP/37301-00000014", "0?not-found,1:") in new stack
-- Executing [37302@phones:3] GotoIf("PJSIP/37301-00000014", "0?not-found,1:") in new stack
-- Executing [37302@phones:4] NoOp("PJSIP/37301-00000014", "PJSIP/ has status 1 : INVALID") in new stack
-- Executing [37302@phones:5] NoOp("PJSIP/37301-00000014", "NOT_INUSE") in new stack
-- Executing [37302@phones:6] GotoIf("PJSIP/37301-00000014", "1?DevAva:") in new stack
-- Goto (phones,37302,9)
-- Executing [37302@phones:9] Dial("PJSIP/37301-00000014", "PJSIP/37302/sip:36045912@192.168.133.111:38781;transport=tls,25") in new stack
-- Called PJSIP/37302/sip:36045912@192.168.133.111:38781;transport=tls

<— Transmitting SIP request (1104 bytes) to TLS:192.168.133.111:38781 —>
INVITE sip:36045912@192.168.133.111:38781;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPj7765476f-632a-438e-9297-c34a03734350;alias
From: “37301” sip:37301@192.168.133.111;tag=f25443ac-b3bf-4b6b-b1b4-1cbc2ea2b5a9
To: sip:36045912@192.168.133.111
Contact: sip:asterisk@192.168.133.111:5061;transport=TLS
Call-ID: 889a7a60-1933-4f3a-bf77-485fb03b2657
CSeq: 27220 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX certified/16.3-cert1
Content-Type: application/sdp
Content-Length: 373

v=0
o=- 764084589 764084589 IN IP4 192.168.133.111
s=Asterisk
c=IN IP4 192.168.133.111
t=0 0
m=audio 15720 RTP/SAVP 8 0 3 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Yu18JXCMty/RMJ53bQc+Uce0ai7UP7FHSnY2AMJ7
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP response (393 bytes) from TLS:192.168.133.111:38781 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.111:5061;rport=58729;received=192.168.133.111;branch=z9hG4bKPj7765476f-632a-438e-9297-c34a03734350;alias
Call-ID: 889a7a60-1933-4f3a-bf77-485fb03b2657
From: “37301” sip:37301@192.168.133.111;tag=f25443ac-b3bf-4b6b-b1b4-1cbc2ea2b5a9
To: sip:36045912@192.168.133.111
CSeq: 27220 INVITE
Server: Blink 3.2.1 (Linux)
Content-Length: 0

<— Received SIP response (579 bytes) from TLS:192.168.133.111:38781 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.133.111:5061;rport=58729;received=192.168.133.111;branch=z9hG4bKPj7765476f-632a-438e-9297-c34a03734350;alias
Call-ID: 889a7a60-1933-4f3a-bf77-485fb03b2657
From: “37301” sip:37301@192.168.133.111;tag=f25443ac-b3bf-4b6b-b1b4-1cbc2ea2b5a9
To: sip:36045912@192.168.133.111;tag=09f630ae-21a5-4ac1-b576-13c9aededec3
CSeq: 27220 INVITE
Server: Blink 3.2.1 (Linux)
Contact: sip:36045912@192.168.133.111:38781;transport=tls
Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Content-Length: 0

-- PJSIP/37302-00000015 is ringing
-- PJSIP/37302-00000015 is ringing

<— Transmitting SIP response (609 bytes) to TLS:192.168.133.111:34631 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.133.111:34631;rport=34631;received=192.168.133.111;branch=z9hG4bKPj33b75acd-2a1a-4c41-a16a-84323a31a297;alias
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111;tag=088ca8c4-bd5f-432d-a662-743c080b8722
CSeq: 12896 INVITE
Server: Asterisk PBX certified/16.3-cert1
Contact: sip:192.168.133.111:5061;transport=TLS
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Content-Length: 0

<— Received SIP response (980 bytes) from TLS:192.168.133.111:38781 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.133.111:5061;rport=58729;received=192.168.133.111;branch=z9hG4bKPj7765476f-632a-438e-9297-c34a03734350;alias
Call-ID: 889a7a60-1933-4f3a-bf77-485fb03b2657
From: “37301” sip:37301@192.168.133.111;tag=f25443ac-b3bf-4b6b-b1b4-1cbc2ea2b5a9
To: sip:36045912@192.168.133.111;tag=09f630ae-21a5-4ac1-b576-13c9aededec3
CSeq: 27220 INVITE
Server: Blink 3.2.1 (Linux)
Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Contact: sip:36045912@192.168.133.111:38781;transport=tls
Supported: 100rel, replaces, norefersub, gruu
Content-Type: application/sdp
Content-Length: 325

v=0
o=- 3796021078 3796021079 IN IP4 192.168.133.111
s=Blink 3.2.1 (Linux)
t=0 0
m=audio 50010 RTP/SAVP 8 101
c=IN IP4 192.168.133.111
a=rtcp:50011
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Ab5qewnlxNP52DihS7x/bRP574+FXqt0pGvIhWp/
a=sendrecv

<— Transmitting SIP request (478 bytes) to TLS:192.168.133.111:38781 —>
ACK sip:36045912@192.168.133.111:38781;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:5061;rport;branch=z9hG4bKPjbf7f2f15-49cd-44d6-a853-aae77aa09d8f;alias
From: “37301” sip:37301@192.168.133.111;tag=f25443ac-b3bf-4b6b-b1b4-1cbc2ea2b5a9
To: sip:36045912@192.168.133.111;tag=09f630ae-21a5-4ac1-b576-13c9aededec3
Call-ID: 889a7a60-1933-4f3a-bf77-485fb03b2657
CSeq: 27220 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX certified/16.3-cert1
Content-Length: 0

-- PJSIP/37302-00000015 answered PJSIP/37301-00000014

<— Transmitting SIP response (1038 bytes) to TLS:192.168.133.111:34631 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.133.111:34631;rport=34631;received=192.168.133.111;branch=z9hG4bKPj33b75acd-2a1a-4c41-a16a-84323a31a297;alias
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111;tag=088ca8c4-bd5f-432d-a662-743c080b8722
CSeq: 12896 INVITE
Server: Asterisk PBX certified/16.3-cert1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.133.111:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 352

v=0
o=- 3796021076 3796021078 IN IP4 192.168.133.111
s=Asterisk
c=IN IP4 192.168.133.111
t=0 0
m=audio 16064 RTP/SAVP 8 0 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:V/l3m09gw497k4j9GBW0dz+yJSq00uTtBvAb+8Ly
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

-- Channel PJSIP/37302-00000015 joined 'simple_bridge' basic-bridge <5ea5ac44-8e08-4798-acc7-1383c1891672>
-- Channel PJSIP/37301-00000014 joined 'simple_bridge' basic-bridge <5ea5ac44-8e08-4798-acc7-1383c1891672>

<— Received SIP request (452 bytes) from TLS:192.168.133.111:34631 —>
ACK sip:192.168.133.111:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.133.111:34631;rport;branch=z9hG4bKPjb5d07d1c-e65a-431d-98e0-fcc4f12ede19;alias
Max-Forwards: 70
From: “37301” sip:37301@192.168.133.111;tag=77db1242-0549-43fd-8d1b-b69152c2c956
To: sip:37302@192.168.133.111;tag=088ca8c4-bd5f-432d-a662-743c080b8722
Call-ID: 1189b97c-7449-40ab-8f4b-68bfdb6ac685
CSeq: 12896 ACK
User-Agent: Blink 3.2.1 (Linux)
Content-Length: 0

so i believe as it succeeded on blink it should have succeeded on linphone !
but it did not !
could it be because of old srtp version ?
THE INSTALLED SRTP : libsrtp0-dev is already the newest version (1.4.5~20130609~dfsg-2ubuntu1).
and should srtp be installed on linphone as well ?

traud · April 20, 2020, 11:20am

You can ignore that because it is not about sRTP but sRTCP, some statistics about the RTP channel. Or what (else) did say, you do not have SDES-sRTP?

If you want to tackle this as well, you have to upgrade to a newer libSRTP on your Ubuntu 16.04 LTS, or which Ubuntu is that exactly? Because Ubuntu 20.04 LTS comes with libSRTP 2.3 out of the box, I recommend to go for that. By the way, I do not recommend to go for a certified Asterisk except you have a contract with Sangoma / Digium. Asterisk 16.3 is quite old. Give the latest Asterisk 16 LTS a go… and Linphone 3.x is terrible old. What about a newer one?

sami-hep · April 20, 2020, 11:41am

Oh okay … then this warning or error has nothing to do with my media being encrypted right ? and if srtcp is not being encrypted or not protected would this affect rtp ?
If my media is being encrypted then that is what concerns me !
So is it being encrypted ?

Anw i am using ubuntu 18.04 … i might update it to 20 in order to benefit of its installed libsrtp version
Thanks a lot for the information about the asterisk version !

Thanks for the help i appreciate it

traud · April 21, 2020, 6:58am

Whether your media is encrypted, I cannot say for sure. For this, external security audits exists. However, from your logs I see nothing which states against that. Furthermore, until today, I never had any issues when RTCP was broken. Finally, your RTCP might be encrypted as well. The problem is, libSRTP had some bugs in its RTCP encryption which broke backward compatibility. That means, if you go for the same libSRTP variant, then both libSRTP speak the same, and this message should go away.

sami-hep · April 21, 2020, 7:02am

aha !
that looks great !
so is there a way to trace all of these packets to make sure it is being encrypted ?
by all packets i mean rtp and rtcp !

traud · April 21, 2020, 2:58pm

The easiest way is to install Wireshark or a similar tool on that computer and trace the network traffic. Alternatively, you go for a (Smart) Switch which allows Port Mirroring. Then, you can compare the size of the RTP packets. If they are bigger than normal, … another way is to look at the SDP you posted. The last SDP contains RTP/SAVP … a=crypto:1. You are set.

However, ‘encrypted’ does not mean secure. That Base64 you see in that SDP is the key to decrypt the sRTP traffic. That key requires a secure transport, like SIP-over-TLS. Looks good again. However, ‘TLS’ does not mean secure. While the TLS connection is setup, several things must be true (peer authenticated like certificate authority, hostname, and encrypted strong enough, like Cipher Suite, (EC)DH Group, …). This chain of security should be checked by an external security audit because so much can go wrong. For more in-depth details about all this, have a look at this recent study about SDES-sRTP implementations … there, the white paper might be interesting for you.

system · May 21, 2020, 2:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Srtcp unprotect ... is media safe? Asterisk SIP	2	444	May 21, 2020
Asterisk 1.18.32 <> no SRTP ! <> Linphone 3.8 Asterisk Support	8	2914	March 30, 2015
Media Encryption issue Asterisk SIP	9	724	May 7, 2020
Cannot get srtp to work Asterisk SIP	7	2837	June 23, 2023
Secure Calling TLS + SRTP Asterisk Support	3	354	May 20, 2015

Srtp error ON LINPHONE

Related topics