SRTP Failing

Running Asterisk (Ver. 10.12.1) with Freepbx 2.10.1.9. Receiving the following when trying extension to extension call with SRTP. No TLS involved.

[2013-04-23 11:13:07] VERBOSE[10256] netsock2.c: == Using SIP RTP TOS bits 184
[2013-04-23 11:13:07] VERBOSE[10256] netsock2.c: == Using SIP RTP CoS mark 5
[2013-04-23 11:13:07] WARNING[10256] sip/sdp_crypto.c: Could not set SRTP policies
[2013-04-23 11:13:07] WARNING[10256] chan_sip.c: Rejecting secure audio stream without encryption details: audio 2222 RTP/SAVP 0 8 18 101

I’ve tried several difft srtp settings on the polycom 601s for this call scenario without any luck.

Any suggestions would be appreciated. Thanks

SRTP requires SIP over TLS.

So Asterisk requires implementing SRTP with TLS? It won’t allow a non-TLS call with SRTP to be processed?

It requires a TLS SIP exchange to provide a secure channel over which to exchange the keys for the SRTP symmetric encryption.

Are there any know issues with using Ver. 10.12.1? I’ve been tinkering with this for several days and cannot make any progress. Seeing errors like this when registering an endpoint supporting TLS/SRTP. Been through all the forums/wikis/guides etc.

[2013-04-24 17:38:52] VERBOSE[27327] tcptls.c: SSL certificate ok
[2013-04-24 17:38:52] VERBOSE[27327] tcptls.c: == Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[2013-04-24 17:38:52] WARNING[27327] tcptls.c: FILE * open failed!

Then I receive SRTP erros when trying to setup a call.

[2013-04-24 17:45:52] VERBOSE[29493] netsock2.c: == Using SIP RTP TOS bits 184
[2013-04-24 17:45:52] VERBOSE[29493] netsock2.c: == Using SIP RTP CoS mark 5
[2013-04-24 17:45:52] WARNING[29493] sip/sdp_crypto.c: Could not set SRTP policies
[2013-04-24 17:45:52] WARNING[29493] sip/sdp_crypto.c: Could not set SRTP policies
[2013-04-24 17:45:52] WARNING[29493] chan_sip.c: Rejecting secure audio stream without encryption details: audio 50000 RTP/SAVP 9 104 103 102 0 8 101
[2013-04-24 17:45:54] VERBOSE[13770] tcptls.c: SSL certificate ok
[2013-04-24 17:45:54] VERBOSE[13770] tcptls.c: == Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[2013-04-24 17:45:54] WARNING[13770] tcptls.c: FILE * open failed!
[2013-04-24 17:46:08] VERBOSE[14432] tcptls.c: SSL certificate ok
[2013-04-24 17:46:08] VERBOSE[14432] tcptls.c: == Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[2013-04-24 17:46:08] WARNING[14432] tcptls.c: FILE * open failed!

As there is a 10.12.2 there obviously are known issues. As it is past end of life, there may well be further issues that haven’t formally be recorded, because they will never be addressed.

I think you can assume that SIP over TLS works for most people.

The error seems to be a fairly common, and rather generic, OpenSSL error.

Thanks,
I’m now using 1.8.18.0. I’ve successfully registered via TLS. When I make a call from the endpoint. Asterisk core dumps.

[2013-04-26 10:52:10] VERBOSE[31107] netsock2.c: == Using SIP RTP TOS bits 184
[2013-04-26 10:52:10] VERBOSE[31107] netsock2.c: == Using SIP RTP CoS mark 5
/usr/sbin/safe_asterisk: line 145: 31002 Segmentation fault (core dumped) nice -n $PRIORITY ${ASTSBINDIR}/asterisk -f ${CLIARGS} ${ASTARGS} > /dev/${TTY} 2>&1 < /dev/${TTY}
Asterisk ended with exit status 139
Automatically restarting Asterisk.

Also verified the core dump happens with or without SRTP(encryption=yes/no) enabled on the extension.

wiki.asterisk.org/wiki/display/ … +Backtrace

(Although you can assume it doesn’t crash for the vast majority of people.)