[Freeswitch-users] SRTP

Rob Hutton justlikeef at gmail.com
Fri Jun 17 01:40:17 MSD 2011 

I am trying to get encryption working from within Bluebox, in the most  
"reasonably flexible" way possible. (So no, not the default dialpan, but I 
missed the example so I will go back and look at it)

So, one scenario I am thinking needs to be supported is where you have two 
devices that are registered to the same user, one encrypted and one not.  For 
instance, a phone and a remote ringer.

What I am looking for is the best way to stay as flexible as possible.  It may 
be a situation where you end up turning on encryption system wide if the 
devices support it, but that is overkill in a situation where there is a 
seperate voice and data VLAN unless there is a need for that level of 
security..

It may be a situation where I need to offer both options and write two 
dialplan enries in the situation where the admin wants to enable it device by 
device.

BTW, I am also using my head to beat through getting TLS working on the front 
end.  I would REALLY appreciate another set of eyes if you have time.  

http://jira.freeswitch.org/browse/FS-3346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-
tabpanel&focusedCommentId=24719#action_24719

Thanks,
Rob

On Thursday 16 June 2011 14:01:41 Michael Collins wrote:
> Are you working off of the default.xml dialplan file? If so, it has an
> example condition already:
> 
>       <condition field="${sip_has_crypto}"
> expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
> break="never">
> <action application="set" data="sip_secure_media=true"/>
> <!-- Offer SRTP on outbound legs if we have it on inbound. -->
> <!-- <action application="export" data="sip_secure_media=true"/> -->
>       </condition>
> 
> What exactly are you checking on in your scenario? Most likely there is an
> elegant way to do it. Give us the plain language description of the problem
> you're addressing and the community will no doubt have good suggestions for
> you.
> 
> -MC
> 
> On Thu, Jun 16, 2011 at 10:22 AM, Rob Hutton <justlikeef at gmail.com> wrote:
> > Steven -
> > 
> > Thanks for the help here...
> > 
> > So there would have to be two dialplan entries for this number to work
> > with either RTP or SRTP? (Maybe two devices registering to the same
> > user?)
> > 
> > Would it make more since to do this in a more global manner higher up in
> > the
> > dialplan in its own condition block?
> > 
> > On Thursday 16 June 2011 03:15:33 Steven Ayre wrote:
> > >  {ERR} mod_dialplan_xml.c:110 Nexted conditions are not allowed
> > > 
> > > That's because it shouldn't be nested. It's not missing a /, and the
> > > 1st Should have the /. The extra indendation shouldn't be there on the
> > > 2nd.
> > > 
> > > It should look like this:
> > > 
> > > <extension name="incoming-fxs">
> > > 
> > >      <condition field="destination_number" expression="^(202)$"/>
> > >      <condition field="${sip_has_crypto}"
> > > 
> > > expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
> > > break="never">
> > > 
> > >           <action application="set" data="sip_secure_media=true"/>
> > >           <action application="bridge" data="openzap/1/1"/>
> > >      
> > >      </condition>
> > > 
> > > </extension>
> > > 
> > > The two conditions function as an AND, even though it's not nested. FS
> > > stops checking the extension as soon as it sees a condition that's
> > > false (at least by default and in the above case), so if the
> > > destination is not 202 it'll never get to the 2nd condition.
> > > 
> > > -Steve
> > > 
> > > On 16 June 2011 03:10, Rob Hutton <justlikeef at gmail.com> wrote:
> > > > I think I have TLS and SRTP working at this point, but in the docs it
> > > > says to use the following template for the dialplan:
> > > > 
> > > > http://wiki.freeswitch.org/wiki/Secure_RTP:
> > > >  <extension name="incoming-fxs">
> > > >  
> > > >    <condition field="destination_number" expression="^(202)$"/>
> > > >    
> > > >      <condition field="${sip_has_crypto}"
> > > > 
> > > > expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
> > > > break="never">
> > > > 
> > > >      <action application="set" data="sip_secure_media=true"/>
> > > >      <action application="bridge" data="openzap/1/1"/>
> > > >    
> > > >    </condition>
> > > >  
> > > >  </extension
> > > > 
> > > > 1) There is a missing > at the end of the close extension tag.
> > > > 2) There is either a missing / at the end of the internal condition
> > 
> > line,
> > 
> > > > or a missing condition close tag somewhere
> > > > 3) When I fix the interal condition, I get an error:
> > > > 
> > > > {ERR} mod_dialplan_xml.c:110 Nexted conditions are not allowed
> > > > 
> > > > All this, but a packet capture shows that SRTP is working based on
> > > > what
> > 
> > I
> > 
> > > > did on:
> > > > 
> > > > http://wiki.freeswitch.org/wiki/SIP_TLS
> > > > 
> > > > Can someone give me some guidance on  the Secure_RTP page and I will
> > > > update whatever?
> > > > 
> > > > _______________________________________________
> > > > FreeSWITCH-users mailing list
> > > > FreeSWITCH-users at lists.freeswitch.org
> > > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > 
> > > > UNSUBSCRIBE:
> > http://lists.freeswitch.org/mailman/options/freeswitch-users
> > 
> > > > http://www.freeswitch.org
> > 
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org

More information about the FreeSWITCH-users mailing list