We don't plan on adding support for this, but we would give a good review to it if someone submitted a pull request adding this functionality <span></span><br><br>On Friday, November 6, 2015, Sergey Safarov <<a href="mailto:s.safarov@gmail.com">s.safarov@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">ZRTP is not allow perform identity of other person (like "I am Sergey Safarov").<div>Also ZRTP can be compromised by attack "man in middle" for first session.</div><div>ZRTP "<a href="https://en.wikipedia.org/wiki/ZRTP" target="_blank">gives protection against man-in-the-middle (MiTM) attacks, so long as the attacker was not present in the first session between the two endpoints.</a>"</div><div><br></div><div>Sergey.</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 6, 2015 at 3:28 PM, Brian West <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','brian@freeswitch.org');" target="_blank">brian@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Use zrtp pass through mode!<div><div><span></span><br><br>On Friday, November 6, 2015, Sergey Safarov <<a href="javascript:_e(%7B%7D,'cvml','s.safarov@gmail.com');" target="_blank">s.safarov@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Using SDES "<a href="https://en.wikipedia.org/wiki/SDES" style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px" target="_blank">keys are transported in the SDP attachment of a SIP message</a><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">". This keys is accessible to FreeSwitch process.</span></font><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">I want reach case when keys negotiated by endpoints and is not accessible to FreeSwitch process.</span></font><br></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">Second target I want use certificate issued by trusted CA to identity participant on other leg and all participants in conference. It will be like site identification in browser. If encryption icon green, then user know it is trusted and user knows who is on other leg.</span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px"><br></span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">When used SDES channel is </span></font><span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px">protected</span><span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px"> </span><span style="font-size:14px;line-height:22.4px;color:rgb(37,37,37);font-family:sans-serif">from leg-A to FS and from FS to leg-B. But FS is the weakest link. Keys can be intercepted, media can be decrypted and user will not known that channel is not secured.</span></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px"><br></span></font></div><div><span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px">According <a href="https://tools.ietf.org/html/rfc5197#section-5.5" target="_blank">RFC</a></span><span style="color:rgb(37,37,37);font-family:sans-serif;font-size:14px;line-height:22.4px"><a href="https://tools.ietf.org/html/rfc5197#section-5.5" target="_blank">5197</a> modes </span><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">RSA (3.2), DH-SIGN (3.3), RSA-R (3.7) look is appropriate. Additional feature is support conference call.</span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">After reading "<a href="https://tools.ietf.org/html/rfc5197#section-6" target="_blank">6. Transport of MIKEY Messages</a>" i think support MIKEY on FreeSwitch side is optional. Endpoints can directly negotiate keys via port 2269.</span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">But in same section exist "The transport of MIKEY messages as part of SDP is described in [<a href="https://tools.ietf.org/html/rfc4567" target="_blank">RFC4567</a>]." and FreeSwitch can help to transport messages when NAT is used.</span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px"><br></span></font></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px">Sergey</span></font></div><div><br></div><div><font color="#252525" face="sans-serif"><span style="font-size:14px;line-height:22.4px"><br></span></font></div><div><br></div><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 6, 2015 at 12:14 PM, Brian West <span dir="ltr"><<a>brian@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I think you mean <span style="color:rgb(0,0,0)">RFC4568, What does MIKEY give you that SDES does not?</span></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Fri, Nov 6, 2015 at 1:57 AM, Sergey Safarov <span dir="ltr"><<a>s.safarov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Are is mean that libsrtp cannot be used?<div><br></div><div>Also. Are is FS support <a href="https://tools.ietf.org/html/rfc4567" target="_blank">RFC4567</a>?</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Fri, Nov 6, 2015 at 10:48 AM, Ken Rice <span dir="ltr"><<a>krice@freeswitch.org</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Brian’s message there still rings true at this time. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a>freeswitch-users-bounces@lists.freeswitch.org</a> [mailto:<a>freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf Of </b>Sergey Safarov<br><b>Sent:</b> Friday, November 6, 2015 1:42 AM<br><b>To:</b> FreeSWITCH Users Help <<a>freeswitch-users@lists.freeswitch.org</a>><br><b>Subject:</b> [Freeswitch-users] MIKEY-PK support<u></u><u></u></span></p><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi<u></u><u></u></p><div><p class="MsoNormal">According <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2008-January/029822.html" target="_blank">this message</a> to support MIKEY key exchange is required library with compatible licence.<u></u><u></u></p></div><div><p class="MsoNormal">Now I am not find MIKEY support in source code.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Are is posible to use <a href="http://srtp.sourceforge.net/license.html" target="_blank">libsrtp</a> to implement MIKEY key exchange?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Sergey<u></u><u></u></p></div></div></div></div></div></div><br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a>consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a>FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a>consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a>FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div></div></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a>brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://billing.freeswitch.org/templates/default/img/whmcslogo.png"><br></font></p><p><font size="2" face="monospace, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br><a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p><p><font face="monospace, monospace">Got Bugs? Report them <a href="https://freeswitch.org/jira" target="_blank">here</a>! | Reddit: <a href="https://www.reddit.com/r/freeswitch" target="_blank">/r/freeswitch</a></font></p>
<p><font size="2" face="monospace, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div></div></div></div></div></div></div></div></div></div>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a>consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a>FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</blockquote><br><br>-- <br><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
<p><font face="courier new, monospace"><b><i><font size="4">Brian West</font></i></b><br><span style="font-size:x-small"><a href="javascript:_e(%7B%7D,'cvml','brian@freeswitch.org');" target="_blank">brian@freeswitch.org</a></span></font></p>
<p><font size="1" face="courier new, monospace"><img src="http://billing.freeswitch.org/templates/default/img/whmcslogo.png"><br></font></p><p><font size="2" face="monospace, monospace"><b><i>Twitter: @FreeSWITCH , @briankwest</i></b><br><a href="http://www.freeswitchbook.com" target="_blank">http://www.freeswitchbook.com</a><br><a href="http://www.freeswitchcookbook.com" target="_blank">http://www.freeswitchcookbook.com</a></font></p><p><font face="monospace, monospace">Got Bugs? Report them <a href="https://freeswitch.org/jira" target="_blank">here</a>! | Reddit: <a href="https://www.reddit.com/r/freeswitch" target="_blank">/r/freeswitch</a></font></p>
<p><font size="2" face="monospace, monospace"><b>T:</b>+19184209001 | <b>F:</b>+19184209002 | <b>M:</b>+1918424WEST (9378)<br><b>iNUM:</b>+883 5100 1420 9001 | <b>ISN:</b>410*543 | <b>Skype:</b>briankwest</font></p></div></div></div></div></div></div></div></div></div><br>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="javascript:_e(%7B%7D,'cvml','consulting@freeswitch.org');" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','FreeSWITCH-users@lists.freeswitch.org');" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
</blockquote>