Tlsv1 alert decrypt error

Working with endpoints behind a NAT this error appears and the client connection becomes unavailable at the same time, the call drops, and then the client reconnects. Using Asterisk 13.24.1 with libsrtp-1.5.4-3 on CentOS 6 and pjsip version 2.8 which is pulled down with 13.24.1. The pjproject files are pulled down on a separate machine and copied to the local /tmp/ directory for use during compiling of Asterisk.
./configure --with-externals-cache=/tmp --libdir=/usr/lib64 --with-pjproject-bundled
These are SIP-TLS endpoints using SDES as media encryption method

While the endpoint is within a call or while the endpoint is (just) registered? In the latter case, the NAT must be kept alive, otherwise your router discards the NAT after its timeout period for TCP connections. One approach is to let the endpoints re-register sooner. Other approaches can be found by searching for keep_alive_interval. That is a parameter name in the configuration file pjsip.conf. If you are in control of the NAT, you can change its TCP timeout (or replace the router completely). However, if you are about in-call drops, you face a different issue.

These are in-call drops. We are not able to duplicate the issue in our lab. We see it, in the logs, as a decrypt error and the call drops. A packet capture shows what appears to be a complete conversation as far as TLS is concerned. Any ideas on where to start looking?

Mhm. If this happen in-call, it might be related to TLS or SDES-sRTP. If there are no warnings or errors in the log of Asterisk, the remote party might face a software bug, too. Anyway, you state you see a log entry. Please, post that word for word, even it’s punctation.

[Nov 17 16:43:55] VERBOSE[27730][C-00005287] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[Nov 17 16:43:55] WARNING[3826] pjproject: SSL SSL_ERROR_SSL (Read): Level: 0 err: <336151579> len: 32000
[Nov 17 16:43:55] VERBOSE[27718][C-00005285] app_macro.c: Spawn extension (macro-dynamic-route, s-pjsip_call, 8) exited non-zero on ‘PJSIP/1009-0000a4ed’ in macro ‘dynamic-route’
[Nov 17 16:43:55] VERBOSE[27718][C-00005285] pbx.c: Spawn extension (caller, 811111111111, 4) exited non-zero on ‘PJSIP/1009-0000a4ed’
[Nov 17 16:43:55] VERBOSE[27718][C-00005285] pbx.c: Executing [h@caller:1] Set(“PJSIP/1009-0000a4ed”, “all=ssrc=386511283;themssrc=2436978219;lp=0;rxjitter=0.000000;rxcount=1149;txjitter=0.001448;txcount=114
8;rlp=0;rtt=0.000000”) in new stack
[Nov 17 16:43:55] VERBOSE[5503] res_pjsip_registrar.c: Removed contact ‘sip:1009@;transport=TLS;rinstance=6c540275317583eb’ from AOR ‘1009’ due to transport shutdown

Mhm. Looks like the other party simply crashed.

  1. Which version of libSRTP do you use?
  2. Your remote party, what product/firmware is that exactly?

libsrtp-1.5.4-3.el6.x86_64 and CounterPath SDK 1.1
We have implementations of CounterPath SDK 1.5 that produce the same errors / call drops

  1. In your CounterPath based app, do you see any crash or error?
  2. Are you able to test libSRTP 1.6 and/or libSRTP 2.x?
  3. I guess you are using the current, latest Asterisk 13 LTS now one year later.