TLS works SRTP doesn't

Asterisk Asterisk Support
1

I’ve built a new Ubuntu 10.10 box with Asterisk 1.8.3.2 and FreePBX 2.9.0rc2. Everything works fine with the exception of SRTP.

I’m using Media 5 fone on iPhone/iPad. TLS works fine but I get the following at the CLI prompt

.[Apr 6 16:11:49] NOTICE[2222]: sip/sdp_crypto.c:251 sdp_crypto_process: Crypto life time unsupported: crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ZqFR49q8cqum14y5bbvmo/VSm+UBtqSwug9cvGbg|1:1
[Apr 6 16:11:49] NOTICE[2222]: sip/sdp_crypto.c:261 sdp_crypto_process: SRTP crypto offer not acceptable
[Apr 6 16:11:49] WARNING[2222]: chan_sip.c:8412 process_sdp: Can’t provide secure audio requested in SDP offer
– Registered SIP ‘4003’ at 192.168.1.3:5065

I’ve spent better part of a day reading previous posts about this very issue, some date back years. Asterisk 1.8 is listed as having SRTP native. Media 5 advertises interoperability with Asterisk in TLS/SRTP. As I said, TLS works just fine. Some help here would be very welcome. I know I’m not the only one that that want’s to use my iPhone with Asterisk SRTP.

In layman’s terms, what exactly is happening? It looks like Asterisk is still not negotiating the Crypto suite correctly. Is that it? If so, what’s the work around?

2

Looks like Asterisk thinks that the MKI they provide is being provided as the lifetime parameter. Dunno why.

Just because Media 5 advertises it, doesn’t mean it’s so; also doesn’t mean that we know anything about it. :frowning:

3

This will fix it for you. Probably it is not a very good idea, but it works.

It looks like sdp_crypto is failing if there are any attributes after the inline:

*** channels/sip/sdp_crypto.c.ori       2011-05-14 19:07:52.000000000 +0200
--- channels/sip/sdp_crypto.c   2011-05-14 17:48:49.000000000 +0200
***************
*** 248,255 ****
                        lifetime = strsep(&info, "|");
  
                        if (lifetime) {
!                               ast_log(LOG_NOTICE, "Crypto life time unsupported: %s\n", attr);
!                               continue;
                        }
  
                        found = 1;
--- 248,255 ----
                        lifetime = strsep(&info, "|");
  
                        if (lifetime) {
!                               ast_log(LOG_NOTICE, "Crypto life time unsupported: %s. Ignoring.\n", attr);
!                               // continue;
                        }
  
                        found = 1;
4

Maybe it’s not a great idea, but it’s a passable workaround for the current case.

Please open an issue on the issue tracker and attach a patch:

issues.asterisk.org

5

You can work around this issue with the patch attached to this issue: issues.asterisk.org/view.php?id=19339

You can also refer to mail-archive.com/asterisk-de … 48474.html

6

when i try to connect from eyebeam softphone, it looks to register well ,but if i try to call sonewhere asteris generates following message:

Code: Select all
[Feb 16 22:49:09] WARNING[3779]: sip/sdp_crypto.c:226 sdp_crypto_process: Unsupported crypto parameters: [Feb 16 22:49:09] WARNING[3779]: chan_sip.c:9398 process_sdp: Can’t provide secure audio requested in SDP offer

Help me plz!
Thanks all!

Ronaldo.

7

Pedro’s patch still works great, even in Asterisk 11 and Asterisk 12. Doesn’t it work for you?

For the original poster: Now the meantime, Media5-fone allows to turn MKI off via Menu » More » Settings » Configure SIP Accounts » your Asterisk Account » Servers » MKI » Off.

KeyTone Pro is another VoIP client specifying an MKI, which we can’t turn-off.