<div dir="ltr"><div><div><div><div>Hi,<br><br></div>Thank you for your help!<br><br></div>I changed transport to TCP and updated vars.xml with one line:<br><br><X-PRE-PROCESS cmd="set" data="rtp_secure_media_outbound=mandatory:AES_CM_128_HMAC_SHA1_80"/><br><br></div><div>after "<X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256..." line<br></div><div><br></div>And call worked.<br><br></div><div>It is quite strange that if I put just "rtp_secure_media_outbound=mandatory" Linphone on B leg choose different cipher from Linphone in A leg an in this case I can hear only silence. Any hints? <br></div><div><br></div>Thank you!<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-11-04 17:48 GMT+02:00 Ken Rice <span dir="ltr"><<a href="mailto:krice@freeswitch.org" target="_blank">krice@freeswitch.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="#0563C1" vlink="#954F72" lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I’ll bet you are doing SIP over UDP instead of SIP/TLS. This will affect you in multiple ways<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><span>1)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Without SIP/TLS your STRP keys are passed around in the clear so you might as well not even be doing SRTP<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><span>2)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Without SIP/TLS (or SIP over TCP atleast) your invites are exceeding MTU and being truncated. This is most likely why step 5 is failing<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf Of </b>Jurijs Ivolga<br><b>Sent:</b> Wednesday, November 4, 2015 8:06 AM<br><b>To:</b> FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org" target="_blank">freeswitch-users@lists.freeswitch.org</a>><br><b>Subject:</b> [Freeswitch-users] Linphone + Freeswitch + SRTP<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt">First of all I'm sorry if this not a really good place to ask, but I spotted very strange behavior using Linphone and Freeswitch.<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">I'm not sure that this is 100% Freeswitch bug, but maybe you point me to proper direction.<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Test environment:<u></u><u></u></p></div><div><p class="MsoNormal">Linphone =SRTP==> Freeswitch =SRTP==> 2nd Linphone<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Linphone & 2nd Linphone located behind NAT in same private network.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt">1) This invite is sent from Linphone to Freeswitch:<u></u><u></u></p></div><p class="MsoNormal">I left only SDP part where all ciphers are listed(same I did for all other sip packages)<u></u><u></u></p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2QEye591aHIqRwdLODMrr8ieQBBHl5WdIizE0NH2.<br>a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:d6K8m+tGEMvkEbRm5Zzy6KQkrlwS78l7wGufgx8S.<br>a=crypto:3 AES_CM_256_HMAC_SHA1_80 inline:PMvGinW3fpIejXOWDskUNWUhBX1KRlhrPkbrP0Nv4L/+My1V7w2r/ALSyLhkPg==.<br>a=crypto:4 AES_CM_256_HMAC_SHA1_32 inline:ZsdwMe0D+RauGydaQ90qG7pfOvdW6m9cxjbBhJ5AUaNSTecse9Sk3lRzlgZuSA==.<u></u><u></u></p></div><div><p class="MsoNormal">2) Trying from Freeswitch<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">3) Freeswitch replies Proxy Authentication Required<u></u><u></u></p></div><div><p class="MsoNormal">4) ACK from Linphone<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">5) Linphone sends one more invite to Freeswitch:<br><br>a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2QEye591aHIqRwdLODMrr8ieQBBHl5WdIizE0NH2.<br>a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:d6K8m+tGEMvkEbRm5Zzy6KQkrlwS<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><b>As we can see this is something very strange, cause Linphone first invite send 4 ciphers, but now it sends only 2 and it looks like that second one is missing something.</b><u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">6) Trying from freeswitch<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">7) Invite sent from Freeswitch to 2nd Linphone<br><br>a=crypto:1 AEAD_AES_256_GCM_8 inline:jotCMStRYMvwWT18wMqmgwAu6mVBKaIkENGh8HLF0UYFEcwGnoQpM0m4juU.<br>a=crypto:2 AEAD_AES_128_G<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">And as we can see in Invite from Freeswitch to 2nd Linphone ciphers are completely different from what Linphone sent in second Invite. I think this is not 100% Linphone bug. What you think?<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Full sip trace you can find in attachemnt, additionnally I will rase same issue on Linphone side.<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">With kind regards,<u></u><u></u></p></div><div><p class="MsoNormal">Jurijs<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>