<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>We were never able to get Trusted MITM working, but ZRTP can work in proxy-media mode as long as your client sends the zrtp-hash attribute in its SDP. When Freeswitch sees the zrtp-hash attribute it enables logic to pass the zrtp packets through unmolested (using the same SSRC for each call leg).</div><div><br></div><div>As Mehroz noted in his original question, Linphone does not currently support zrtp-hash so this can't work. However, Mehroz, if you look in the Feb 2013 archives of the linphone-developers mailing list you can find a patch that adds zrtp-hash support to Linphone. It was recently rejected because it causes side-effects when video is enabled, but you can test it out and see if it fixes the your problem. </div><div><br></div><div>-Eli</div><br><div><div>On Apr 9, 2013, at 12:01 PM, <a href="mailto:freeswitch-users-request@lists.freeswitch.org">freeswitch-users-request@lists.freeswitch.org</a> wrote:</div><br></div><div><blockquote type="cite"><div style="margin: 0px; "><span style="color: rgb(127, 127, 127); "><b>From: </b></span>Steven Ayre <<a href="mailto:steveayre@gmail.com">steveayre@gmail.com</a>><br></div><div style="margin: 0px; "><span style="color: rgb(127, 127, 127); "><b>Subject: </b></span><b>Re: [Freeswitch-users] problems with freeswitch + zrtp in proxy-media mode</b><br></div><div style="margin: 0px; "><span style="color: rgb(127, 127, 127); "><b>Date: </b></span>April 9, 2013 12:00:21 PM EDT<br></div><div style="margin: 0px; "><span style="color: rgb(127, 127, 127); "><b>To: </b></span>FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.freeswitch.org</a>><br></div><div style="margin: 0px; "><span style="color: rgb(127, 127, 127); "><b>Reply-To: </b></span>FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.freeswitch.org</a>><br></div><br><br><div dir="ltr"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; "><span style="font-family: arial, sans-serif; font-size: 13px; ">There is a way to do Trusted MITM I believe there is a setting for that</span></blockquote><div> </div><div class="" style="font-family: arial, sans-serif; font-size: 13px; "></div><action application="set" data="zrtp_enrollment=true"/><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 9 April 2013 16:11, Ken Rice <span dir="ltr"><<a href="mailto:krice@freeswitch.org" target="_blank">krice@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; ">Also, keep in mind that FS in a mode other then proxy or bypass media, when<br>you have a ZRTP call is kind of pointless, that leads to a vector for a man<br>in the middle attack which is also the reason the SASs don't match is you<br>have 2 different ZRTP legs with FS in the middle decrypting and<br>re-encrypting the conversation...<br><br>There is a way to do Trusted MITM I believe there is a setting for that<br><div class="HOEnZb"><div class="h5"><br><br>On 4/9/13 4:57 AM, "mehroz" <<a href="mailto:mehroz.ashraf85@gmail.com">mehroz.ashraf85@gmail.com</a>> wrote:<br><br>> Any luck with this issue?<br>><br>> I am having the same configurations, FS acting as normal mode i.e bypass and<br>> proxy on default(commented)<br>><br>> Clients are Linphone, and SAS does not match......<br>><br>> Over jitsi ... SAS are identical ONLY IF<br>><br>> IF linphone does not support "zrtp-hash" attribute in SIP/SDP, what is the<br>> next possible solution?</div></div></blockquote></div></div></div></blockquote></div></body></html>