[Freeswitch-users] Anyone got ZRTP MiTM working?

Peter Villeneuve petervnv1 at gmail.com
Thu Apr 10 21:53:26 MSD 2014 

I did as you said Brian. I think I've given the script plenty of time. When
I call 9787 I do get the zrtp is secure message and I see the SAS displayed
on my CSipSimple endpoint.
However, the detection in the dialplan doesn't seem to work since it always
evals as not secure.

-- ZRTP Enrollment Agent
session:setVariable("zrtp_secure_media", "true");
session:setVariable("zrtp_enrollment", "true");
session:sleep(600);
session:answer();
session:streamFile("zrtp/zrtp-status_securing.wav");
session:sleep(5000);
-- Give the agent time to bring up ZRTP.


Despite the fact that I do see the SAS, I also see this error message in
the logs
[ERR] switch_rtp.c:4987 Error: zRTP protection drop with code 9

This seems to be related to this jira bug
http://jira.freeswitch.org/browse/FS-509




On Wed, Apr 9, 2014 at 8:25 PM, Brian West <brian at freeswitch.org> wrote:

> Sleep longer in the lua script
>
> Sent from my iPhone
>
> On Apr 9, 2014, at 1:48 PM, Peter Villeneuve <petervnv1 at gmail.com> wrote:
>
> Thanks guys. It was indeed a silly mistake.
> Recompiling latest mster from git with the ZRTP flag now works.
>
> I see ZRTP being established correctly but I still can't get FS to confirm
> that the call is secure in the dialplan.
> I think the issue may lie with the correct wording of
> the ${zrtp_secure_media_confirmed}
>
> Here's what the logs show (note that zrtp is indeed active as I can see
> the SAS in both Jitsi and CSipSimple)
>
> parsing [features->is_zrtp_secure] continue=true
> Dialplan: sofia/internal/1010 at my.domain.com Regex (FAIL) [is_zrtp_secure]
> ${zrtp_secure_media_confirmed}() =~ /^true$/ break=on-false
> Dialplan: sofia/internal/1010 at my.domain.com ANTI-Action eval(not_secure)
> EXECUTE sofia/internal/1010 at my.domain.com eval(not_secure)
> 2014-04-09 18:33:10.872707 [NOTICE] switch_core_session.c:2953 Execute
> eval(not_secure)
> EXECUTE sofia/internal/1010 at my.domain.com eval(not_secure)
>
>
> I've tried playing with the wording of the ${zrtp_secure_media_confirmed}
> since I recall a similar problem with SRTP and some recent code changes in
> FS (I added audio to the name of the variable)
> Unfortunately none of the 2 options I tried made any difference.
>
> <extension name="is_zrtp_secure" continue="true">
>       <condition field="${zrtp_secure_media_confirmed}"
> expression="^true$">
>       <!-- <condition field="${zrtp_secure_media_confirmed_audio}"
> expression="^true$">-->
> <action application="sleep" data="1000"/>
>  <action application="playback" data="misc/call_secured.wav"/>
> <anti-action application="eval" data="not_secure"/>
>       </condition>
>     </extension>
>
> Any clues as to what's wrong?
>
>
> Thanks,
>
> Peter
>
>
> On Tue, Apr 8, 2014 at 2:04 PM, Steven Ayre <steveayre at gmail.com> wrote:
>
>> Just rebuild and install as normal, it'll be an upgrade. Your config
>> files should be preserved, but back them up just in case.
>>
>>
>>
>> On Tuesday, April 8, 2014, Peter Villeneuve <petervnv1 at gmail.com> wrote:
>>
>>> I can't believe how stupid I am. Now that you mention it I'm no longer
>>> sure I did compile it explicitly with the --enable-zrtp flag.
>>> I guess that would explain it. Sorry for wasting your time with such a
>>> silly mistake.
>>>
>>> Guess I need to start over. Is there a make uninstall or is there a
>>> recommended way to remove FS?
>>>
>>>
>>> On Mon, Apr 7, 2014 at 10:55 PM, Brian West <brian at freeswitch.org>wrote:
>>>
>>>> You compiled with --enable-zrtp?  And you you see the ZRTP activity in
>>>> the logs when making calls?
>>>> --
>>>> Brian West
>>>> brian at freeswitch.org
>>>> FreeSWITCH Solutions, LLC
>>>> PO BOX 2531
>>>> Brookfield, WI 53008-2531
>>>> Twitter: @FreeSWITCH , @briankwest
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> T: +1.918.420.9001  |  F: +1.918.420.9002  |  M: +1.918.424.WEST
>>>> iNUM: +883 5100 1420 9001
>>>> ISN: 410*543
>>>> Skype:briankwest
>>>> PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Apr 7, 2014, at 4:49 PM, Peter Villeneuve <petervnv1 at gmail.com>
>>>> wrote:
>>>>
>>>> > Thanks for helping out Brian.
>>>> >
>>>> > The problem I have is that FS doesn't seem to recognize the client
>>>> has ZRTP when I dial 9787 (CSipSimple in this case with ZRTP enabled).
>>>> > I hear the nice lady tell me that my endpoint doesn't have ZRTP but I
>>>> see in the FS logs that it correctly sees the ZRTP hash.
>>>> >
>>>> > I've disabled zrtp passthrough in the sip profile and still FS
>>>> doesn't seem to detect the client has ZRTP and enroll it.
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140410/a3c49491/attachment-0001.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list