<div dir="ltr"><div><div><div><div><div><div><div><div>Hi,<br><br></div>Maybe you can let me know how I can turn on SRTP using default config?<br><br></div>I have following lines in default conf/dialplan/default.xml:<br><br><condition field="${rtp_has_crypto}" expression="^($${rtp_sdes_suites})$" break="never"><br> <action application="set" data="rtp_secure_media=true"/><br> <!-- Offer SRTP on outbound legs if we have it on inbound. --><br> <!-- <action application="export" data="rtp_secure_media=true"/> --><br> </condition><br><br> <!--<br> Since we have inbound-late-negotation on by default now the<br> above behavior isn't the same so you have to do one extra step.<br> --><br> <condition field="${endpoint_disposition}" expression="^(DELAYED NEGOTIATION)"/><br> <condition field="${switch_r_sdp}" expression="(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)" break="never"><br> <action application="set" data="rtp_secure_media=true"/><br> <!-- Offer SRTP on outbound legs if we have it on inbound. --><br> <!-- <action application="export" data="rtp_secure_media=true"/> --><br> </condition><br><br></div>If I change them to:<br><br><condition field="${rtp_has_crypto}" expression="^($${rtp_sdes_suites})$" break="never"><br> <action application="set" data="rtp_secure_media=true"/><br> <!-- Offer SRTP on outbound legs if we have it on inbound. --><br> <action application="export" data="rtp_secure_media=true"/><br> </condition><br><br> <!--<br> Since we have inbound-late-negotation on by default now the<br> above behavior isn't the same so you have to do one extra step.<br> --><br> <condition field="${endpoint_disposition}" expression="^(DELAYED NEGOTIATION)"/><br> <condition field="${switch_r_sdp}" expression="(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)" break="never"><br> <action application="set" data="rtp_secure_media=true"/><br> <!-- Offer SRTP on outbound legs if we have it on inbound. --><br> <action application="export" data="rtp_secure_media=true"/><br> </condition><br><br></div>Then when I make a call there is issue with cipher:<br><br>show channels<br>uuid,direction,created,created_epoch,name,state,cid_name,cid_num,ip_addr,dest,application,application_data,dialplan,context,read_codec,read_rate,read_bit_rate,write_codec,write_rate,write_bit_rate,secure,hostname,presence_id,presence_data,callstate,callee_name,callee_num,callee_direction,call_uuid,sent_callee_name,sent_callee_num,initial_cid_name,initial_cid_num,initial_ip_addr,initial_dest,initial_dialplan,initial_context<br>81a423fc-41c8-11e5-ac4e-1b8671775759,inbound,2015-08-13 10:35:13,1439476513,sofia/internal/1001@myserverip,CS_EXECUTE,1001,1001,mylocalip,1000,bridge,user/1000@myserverip,XML,default,opus,48000,0,opus,48000,0,srtp:sdes:<b>AES_CM_128_HMAC_SHA1_80</b>,Freeswitch1Dev,1001@myserverip,,ACTIVE,Outbound Call,1000,SEND,81a423fc-41c8-11e5-ac4e-1b8671775759,Outbound Call,1000,1001,1001,mylocalip,1000,XML,default<br>81cbe932-41c8-11e5-ac73-1b8671775759,outbound,2015-08-13 10:35:13,1439476513,sofia/internal/1000@mylocalip:39626,CS_EXCHANGE_MEDIA,Extension 1001,1001,mylocalip,1000,,,XML,default,opus,48000,0,opus,48000,0,srtp:sdes:<b>AES_CM_256_HMAC_SHA1_80</b>,Freeswitch1Dev,1000@myserverip,,ACTIVE,Outbound Call,1000,SEND,81a423fc-41c8-11e5-ac4e-1b8671775759,Extension 1001,1001,Extension 1001,1001,mylocalip,1000,XML,default<br><br><br></div>As you can see for inbound call is used AES_CM_128_HMAC_SHA1_80 cipher and for outbound is used AES_CM_256_HMAC_SHA1_80.<br><br></div>Any ideas?<br><br></div>With kind regards,<br><br></div>Jurijs<br><div><div><div><div><div><div><div><div><div><div><br></div></div></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-08-13 17:26 GMT+03:00 Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You will have to look at the full negotiation of that leg and a debug log to see what's going on.<span></span><br><br>On Thursday, August 13, 2015, Jurijs Ivolga <<a href="mailto:jurij.ivo@gmail.com" target="_blank">jurij.ivo@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div>Hi,<br><br></div>I'm struggling with quite simple issue. I need to enable SRTP on outbound leg. Call hits Freeswitch as SRTP but it leaves as regular RTP. I do not use TLS and I don't need it(yes, I know that SRTP keys are sent as plain text in this case).<br><br></div>I tried to add following code to my dialplan, but it do not helps:<br><br><pre><condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
<action application="set" data="sip_secure_media=true"/>
<action application="export" data="sip_secure_media=true"/>
</condition></pre>I tried to add to vars.xml following line too:<br><br><X-PRE-PROCESS cmd="set" data="rtp_secure_media_inbound=mandatory"/><br><br></div>But still without success.<br><br></div>Maybe somebody can give me a hint?<br><br></div>Thank you!<br><br></div>With kind regards,<br><br></div>Jurijs<br></div>
</blockquote>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>