[Freeswitch-users] SRTP
Darren Schreiber
d at d-man.org
Fri Jun 24 05:15:12 MSD 2011
Hi Rob,
Sorry for responding late on this. I'd be happy to help with this - seems
like a really good use of time. Want to give a trial run at this over the
weekend?
- Darren
--
On 6/16/11 2:40 PM, "Rob Hutton" <justlikeef at gmail.com> wrote:
>I am trying to get encryption working from within Bluebox, in the most
>"reasonably flexible" way possible. (So no, not the default dialpan, but
>I
>missed the example so I will go back and look at it)
>
>So, one scenario I am thinking needs to be supported is where you have
>two
>devices that are registered to the same user, one encrypted and one not.
>For
>instance, a phone and a remote ringer.
>
>What I am looking for is the best way to stay as flexible as possible.
>It may
>be a situation where you end up turning on encryption system wide if the
>devices support it, but that is overkill in a situation where there is a
>seperate voice and data VLAN unless there is a need for that level of
>security..
>
>It may be a situation where I need to offer both options and write two
>dialplan enries in the situation where the admin wants to enable it
>device by
>device.
>
>BTW, I am also using my head to beat through getting TLS working on the
>front
>end. I would REALLY appreciate another set of eyes if you have time.
>
>http://jira.freeswitch.org/browse/FS-3346?page=com.atlassian.jira.plugin.s
>ystem.issuetabpanels:comment-
>tabpanel&focusedCommentId=24719#action_24719
>
>Thanks,
>Rob
>
>On Thursday 16 June 2011 14:01:41 Michael Collins wrote:
>> Are you working off of the default.xml dialplan file? If so, it has an
>> example condition already:
>>
>> <condition field="${sip_has_crypto}"
>> expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
>> break="never">
>> <action application="set" data="sip_secure_media=true"/>
>> <!-- Offer SRTP on outbound legs if we have it on inbound. -->
>> <!-- <action application="export" data="sip_secure_media=true"/> -->
>> </condition>
>>
>> What exactly are you checking on in your scenario? Most likely there is
>>an
>> elegant way to do it. Give us the plain language description of the
>>problem
>> you're addressing and the community will no doubt have good suggestions
>>for
>> you.
>>
>> -MC
>>
>> On Thu, Jun 16, 2011 at 10:22 AM, Rob Hutton <justlikeef at gmail.com>
>>wrote:
>> > Steven -
>> >
>> > Thanks for the help here...
>> >
>> > So there would have to be two dialplan entries for this number to work
>> > with either RTP or SRTP? (Maybe two devices registering to the same
>> > user?)
>> >
>> > Would it make more since to do this in a more global manner higher up
>>in
>> > the
>> > dialplan in its own condition block?
>> >
>> > On Thursday 16 June 2011 03:15:33 Steven Ayre wrote:
>> > > {ERR} mod_dialplan_xml.c:110 Nexted conditions are not allowed
>> > >
>> > > That's because it shouldn't be nested. It's not missing a /, and the
>> > > 1st Should have the /. The extra indendation shouldn't be there on
>>the
>> > > 2nd.
>> > >
>> > > It should look like this:
>> > >
>> > > <extension name="incoming-fxs">
>> > >
>> > > <condition field="destination_number" expression="^(202)$"/>
>> > > <condition field="${sip_has_crypto}"
>> > >
>> > > expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
>> > > break="never">
>> > >
>> > > <action application="set" data="sip_secure_media=true"/>
>> > > <action application="bridge" data="openzap/1/1"/>
>> > >
>> > > </condition>
>> > >
>> > > </extension>
>> > >
>> > > The two conditions function as an AND, even though it's not nested.
>>FS
>> > > stops checking the extension as soon as it sees a condition that's
>> > > false (at least by default and in the above case), so if the
>> > > destination is not 202 it'll never get to the 2nd condition.
>> > >
>> > > -Steve
>> > >
>> > > On 16 June 2011 03:10, Rob Hutton <justlikeef at gmail.com> wrote:
>> > > > I think I have TLS and SRTP working at this point, but in the
>>docs it
>> > > > says to use the following template for the dialplan:
>> > > >
>> > > > http://wiki.freeswitch.org/wiki/Secure_RTP:
>> > > > <extension name="incoming-fxs">
>> > > >
>> > > > <condition field="destination_number" expression="^(202)$"/>
>> > > >
>> > > > <condition field="${sip_has_crypto}"
>> > > >
>> > > > expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
>> > > > break="never">
>> > > >
>> > > > <action application="set" data="sip_secure_media=true"/>
>> > > > <action application="bridge" data="openzap/1/1"/>
>> > > >
>> > > > </condition>
>> > > >
>> > > > </extension
>> > > >
>> > > > 1) There is a missing > at the end of the close extension tag.
>> > > > 2) There is either a missing / at the end of the internal
>>condition
>> >
>> > line,
>> >
>> > > > or a missing condition close tag somewhere
>> > > > 3) When I fix the interal condition, I get an error:
>> > > >
>> > > > {ERR} mod_dialplan_xml.c:110 Nexted conditions are not allowed
>> > > >
>> > > > All this, but a packet capture shows that SRTP is working based on
>> > > > what
>> >
>> > I
>> >
>> > > > did on:
>> > > >
>> > > > http://wiki.freeswitch.org/wiki/SIP_TLS
>> > > >
>> > > > Can someone give me some guidance on the Secure_RTP page and I
>>will
>> > > > update whatever?
>> > > >
>> > > > _______________________________________________
>> > > > FreeSWITCH-users mailing list
>> > > > FreeSWITCH-users at lists.freeswitch.org
>> > > > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >
>> > > > UNSUBSCRIBE:
>> > http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >
>> > > > http://www.freeswitch.org
>> >
>> > _______________________________________________
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >
>>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>
>_______________________________________________
>Join us at ClueCon 2011, Aug 9-11, Chicago
>http://www.cluecon.com 877-7-4ACLUE
>
>FreeSWITCH-users mailing list
>FreeSWITCH-users at lists.freeswitch.org
>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list