[Freeswitch-users] Calls from SRTP Clients to non-SRTP clients

Richard Brady rnbrady at gmail.com
Tue Aug 14 21:41:03 MSD 2012 

> is there a way to force FreeSWITCH to establish an SRTP call to clients
when the originating client does not support SRTP?

This should work by default, assuming you are setting sip_secure_media in
the appropriate place.

FreeSWITCH should negotiate both channels (legs) independently. So if the
A-end has no SRTP, that should not prevent FreeSWITCH from sending a INVITE
to the B-end with SRTP specified (i.e. SAVP in the SDP with a crypto
attribute).

I think "all or nothing" doesn't imply both ends of the call, it implies
all calls or none of the calls calls. So an inbound or outbound call
without SRTP will be rejected. Hope this makes sense.

However, in the default dialplan there is a condition that will cause
FreeSWITCH to implement such a policy. It is commented out by default:

      <condition field="${sip_has_crypto}"
expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$"
break="never">
        <action application="set" data="sip_secure_media=true"/>
        <!-- Offer SRTP on outbound legs if we have it on inbound. -->
        <!-- <action application="export" data="sip_secure_media=true"/> -->
      </condition>

So if you uncommented that export line you would experience the behaviour
you described.

Assuming you have not done that, could it be that Bria is simply rejecting
any INVITE with SDP that does not contain an SAVP entry with a crypto
attribute? If this was the case you would find all inbound call to that
extension failing.

Actually I wonder if this is what happened and then caused you to uncomment
the line above, which has led you to your conclusion, as this would cause
only calls coming from SRTP devices to work. If so, you'd want to comment
it out again and find a different way to create a group for all users with
SRTP devices and use a dialplan condition to decide whether or not to
export sip_secure_media=true.

Alternatively you could try for some sort of fall-back mechanism but you'd
have to think carefully about this to make it secure and/or stable.

Good luck!

Richard

PS: In your first paragraph, did you mean Bria for iPhone in both cases?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120814/d4a8df27/attachment.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list