Unsupported crypto suite AES WARNING

We are using Asterisk with sdes media_encryption.
It works fine on Asterisk 18.5.1. But some warnings displays since I installed 18.7.1.

<--- Received SIP request (2399 bytes) from TLS:118.238.222.5:57529 --->
INVITE sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.0.4:53420;branch=z9hG4bK-524287-1---febf2ea56b5461b2;rport
Max-Forwards: 70
Contact: <sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx;transport=TLS>
To: <sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx:19240>
From: <sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx;transport=TLS>;tag=6a21e147
Call-ID: xxxxxx..
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
User-Agent: Z 5.4.12 v2.10.13.2
Authorization: xxxxxxxxxxxxxx
Allow-Events: presence, kpml, talk
Content-Length: 1363

v=0
o=Z 1636003204853 1 IN IP4 192.168.0.4
s=Z
c=IN IP4 192.168.0.4
t=0 0
m=audio 8000 RTP/SAVP 106 9 98 101 0 8 18 3
a=rtpmap:106 opus/48000/2
a=fmtp:106 sprop-maxcapturerate=16000; minptime=20; useinbandfec=1
a=rtpmap:98 telephone-event/48000
a=fmtp:98 0-16
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=sendrecv
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
a=crypto:9 AES_CM_256_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
a=crypto:10 AES_CM_256_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
a=crypto:7 AES_CM_192_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
a=crypto:8 AES_CM_192_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+

<--- Transmitting SIP response (373 bytes) to TLS:xxxxxxx:xxxxx --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS xxxxxxx:53420;rport=57529;received=xxxxxxxx;branch=z9hG4bK-524287-1---febf2ea56b5461b2
Call-ID: EnKrCsFojJ0GFy1fN1KOyg..
From: <sip:sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx>;tag=6a21e147
To: <sip:sip:xxxxxxxxxxx@xxxxxxxxxxxxxx:xxxxx>
CSeq: 2 INVITE
Server: Asterisk PBX 18.8.0
Content-Length:  0


 Unsupported crypto suite: AES_256_CM_HMAC_SHA1_80
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 5 AES_256_CM_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
 Unsupported crypto suite: AES_256_CM_HMAC_SHA1_32
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 6 AES_256_CM_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
 Unsupported crypto suite: AES_CM_256_HMAC_SHA1_80
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 9 AES_CM_256_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
 Unsupported crypto suite: AES_CM_256_HMAC_SHA1_32
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 10 AES_CM_256_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnFzpqv85MiVPg==
 Unsupported crypto suite: AES_192_CM_HMAC_SHA1_80
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 3 AES_192_CM_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
 Unsupported crypto suite: AES_192_CM_HMAC_SHA1_32
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 4 AES_192_CM_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
 Unsupported crypto suite: AES_CM_192_HMAC_SHA1_80
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 7 AES_CM_192_HMAC_SHA1_80 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=
 Unsupported crypto suite: AES_CM_192_HMAC_SHA1_32
[2021-11-04 14:20:04] WARNING[20671]: res_pjsip_sdp_rtp.c:1147 setup_sdes_srtp: Ignoring crypto offer with unsupported parameters: 8 AES_CM_192_HMAC_SHA1_32 inline:bQegyhsedEqflMBCw5A8a1NFEFTZfmJyp48pgNt+yGY4VzOpZnE=

I understand this is the problem of the below changes but I can’t find how to fix this issue(how to install unsupported crypto suite)
https://gerrit.asterisk.org/c/asterisk/+/16438

I use AmazonLinux2(aarch64) and I already installed libsrtp.
Can you tell me how to install the crypto suite or remove this warnings

Although it is classified as warning, it is nothing you have to respond to. Simply ignore those log messages. I filed an issue report to lower the severity of that: ASTERISK-29785.

Anyway, to answer your question: The related issue was ASTERISK-29625. In that issue, the causing issue is ASTERISK-26190. More details in this post … Consequently, you could re-configure Asterisk to get rid of those.

However, that does not remove the message for AES-192 either. And I do not recommend to enable AES-192 for egress (especially because your libSRTP seems not enabled with OpenSSL as crypto backend). Therefore, the easiest way is to reverse that change:

cd <in your Asterisk source tree>
wget https://gerrit.asterisk.org/changes/asterisk~16436/revisions/2/patch?zip
unzip ./c1a5759.diff.zip
patch -p1 --reverse <./c1a5759.diff
make

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.