[Freeswitch-users] SRTP on outbound leg without TLS

Jurijs Ivolga jurij.ivo at gmail.com
Thu Aug 13 18:40:30 MSD 2015


Hi,

Maybe you can let me know how I can turn on SRTP using default config?

I have following lines in default conf/dialplan/default.xml:

<condition field="${rtp_has_crypto}" expression="^($${rtp_sdes_suites})$"
break="never">
        <action application="set" data="rtp_secure_media=true"/>
        <!-- Offer SRTP on outbound legs if we have it on inbound. -->
        <!-- <action application="export" data="rtp_secure_media=true"/> -->
      </condition>

      <!--
         Since we have inbound-late-negotation on by default now the
         above behavior isn't the same so you have to do one extra step.
        -->
      <condition field="${endpoint_disposition}" expression="^(DELAYED
NEGOTIATION)"/>
      <condition field="${switch_r_sdp}"
expression="(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)"
break="never">
        <action application="set" data="rtp_secure_media=true"/>
        <!-- Offer SRTP on outbound legs if we have it on inbound. -->
        <!-- <action application="export" data="rtp_secure_media=true"/> -->
      </condition>

If I change them to:

<condition field="${rtp_has_crypto}" expression="^($${rtp_sdes_suites})$"
break="never">
        <action application="set" data="rtp_secure_media=true"/>
        <!-- Offer SRTP on outbound legs if we have it on inbound. -->
        <action application="export" data="rtp_secure_media=true"/>
      </condition>

      <!--
         Since we have inbound-late-negotation on by default now the
         above behavior isn't the same so you have to do one extra step.
        -->
      <condition field="${endpoint_disposition}" expression="^(DELAYED
NEGOTIATION)"/>
      <condition field="${switch_r_sdp}"
expression="(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)"
break="never">
        <action application="set" data="rtp_secure_media=true"/>
        <!-- Offer SRTP on outbound legs if we have it on inbound. -->
        <action application="export" data="rtp_secure_media=true"/>
      </condition>

Then when I make a call there is issue with cipher:

show channels
uuid,direction,created,created_epoch,name,state,cid_name,cid_num,ip_addr,dest,application,application_data,dialplan,context,read_codec,read_rate,read_bit_rate,write_codec,write_rate,write_bit_rate,secure,hostname,presence_id,presence_data,callstate,callee_name,callee_num,callee_direction,call_uuid,sent_callee_name,sent_callee_num,initial_cid_name,initial_cid_num,initial_ip_addr,initial_dest,initial_dialplan,initial_context
81a423fc-41c8-11e5-ac4e-1b8671775759,inbound,2015-08-13
10:35:13,1439476513,sofia/internal/1001 at myserverip
,CS_EXECUTE,1001,1001,mylocalip,1000,bridge,user/1000 at myserverip
,XML,default,opus,48000,0,opus,48000,0,srtp:sdes:*AES_CM_128_HMAC_SHA1_80*
,Freeswitch1Dev,1001 at myserverip,,ACTIVE,Outbound
Call,1000,SEND,81a423fc-41c8-11e5-ac4e-1b8671775759,Outbound
Call,1000,1001,1001,mylocalip,1000,XML,default
81cbe932-41c8-11e5-ac73-1b8671775759,outbound,2015-08-13
10:35:13,1439476513,sofia/internal/1000 at mylocalip:39626,CS_EXCHANGE_MEDIA,Extension
1001,1001,mylocalip,1000,,,XML,default,opus,48000,0,opus,48000,0,srtp:sdes:
*AES_CM_256_HMAC_SHA1_80*,Freeswitch1Dev,1000 at myserverip,,ACTIVE,Outbound
Call,1000,SEND,81a423fc-41c8-11e5-ac4e-1b8671775759,Extension
1001,1001,Extension 1001,1001,mylocalip,1000,XML,default


As you can see for inbound call is used AES_CM_128_HMAC_SHA1_80 cipher and
for outbound is used AES_CM_256_HMAC_SHA1_80.

Any ideas?

With kind regards,

Jurijs


2015-08-13 17:26 GMT+03:00 Michael Jerris <mike at jerris.com>:

> You will have to look at the full negotiation of that leg and a debug log
> to see what's going on.
>
> On Thursday, August 13, 2015, Jurijs Ivolga <jurij.ivo at gmail.com> wrote:
>
>> Hi,
>>
>> I'm struggling with quite simple issue. I need to enable SRTP on outbound
>> leg. Call hits Freeswitch as SRTP but it leaves as regular RTP. I do not
>> use TLS and I don't need it(yes, I know that SRTP keys are sent as plain
>> text in this case).
>>
>> I tried to add following code to my dialplan, but it do not helps:
>>
>> <condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
>>        <action application="set" data="sip_secure_media=true"/>
>>        <action application="export" data="sip_secure_media=true"/>
>> </condition>
>>
>> I tried to add to vars.xml following line too:
>>
>> <X-PRE-PROCESS cmd="set" data="rtp_secure_media_inbound=mandatory"/>
>>
>> But still without success.
>>
>> Maybe somebody can give me a hint?
>>
>> Thank you!
>>
>> With kind regards,
>>
>> Jurijs
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150813/c43aa797/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list