[Freeswitch-users] Linphone + Freeswitch + SRTP

Ken Rice krice at freeswitch.org
Wed Nov 4 18:48:26 MSK 2015 

I’ll bet you are doing SIP over UDP instead of SIP/TLS. This will affect you in multiple ways

 

1)      Without SIP/TLS your STRP keys are passed around in the clear so you might as well not even be doing SRTP

2)      Without SIP/TLS (or SIP over TCP atleast) your invites are exceeding MTU and being truncated. This is most likely why step 5 is failing

 

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Jurijs Ivolga
Sent: Wednesday, November 4, 2015 8:06 AM
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: [Freeswitch-users] Linphone + Freeswitch + SRTP

 

Hi,

First of all I'm sorry if this not a really good place to ask, but I spotted very strange behavior using Linphone and Freeswitch.

I'm not sure that this is 100% Freeswitch bug, but maybe you point me to proper direction.

Test environment:

Linphone =SRTP==> Freeswitch =SRTP==> 2nd Linphone

 

Linphone & 2nd Linphone located behind NAT in same private network.

 

1) This invite is sent from Linphone to Freeswitch:

I left only SDP part where all ciphers are listed(same I did for all other sip packages)


a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2QEye591aHIqRwdLODMrr8ieQBBHl5WdIizE0NH2.
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:d6K8m+tGEMvkEbRm5Zzy6KQkrlwS78l7wGufgx8S.
a=crypto:3 AES_CM_256_HMAC_SHA1_80 inline:PMvGinW3fpIejXOWDskUNWUhBX1KRlhrPkbrP0Nv4L/+My1V7w2r/ALSyLhkPg==.
a=crypto:4 AES_CM_256_HMAC_SHA1_32 inline:ZsdwMe0D+RauGydaQ90qG7pfOvdW6m9cxjbBhJ5AUaNSTecse9Sk3lRzlgZuSA==.

2) Trying from Freeswitch

 

3) Freeswitch replies Proxy Authentication Required

4) ACK from Linphone

 

5) Linphone sends one more invite to Freeswitch:

a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2QEye591aHIqRwdLODMrr8ieQBBHl5WdIizE0NH2.
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:d6K8m+tGEMvkEbRm5Zzy6KQkrlwS

As we can see this is something very strange, cause Linphone first invite send 4 ciphers, but now it sends only 2 and it looks like that second one is missing something.

6) Trying from freeswitch

7) Invite sent from Freeswitch to 2nd Linphone

a=crypto:1 AEAD_AES_256_GCM_8 inline:jotCMStRYMvwWT18wMqmgwAu6mVBKaIkENGh8HLF0UYFEcwGnoQpM0m4juU.
a=crypto:2 AEAD_AES_128_G

And as we can see in Invite from Freeswitch to 2nd Linphone ciphers are completely different from what Linphone sent in second Invite. I think this is not 100% Linphone bug. What you think?

Full sip trace you can find in attachemnt, additionnally I will rase same issue on Linphone side.

With kind regards,

Jurijs

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151104/452c8bb5/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list