[Freeswitch-users] Optional Approach for SRTP (rfc 8643)

[Eugene Christensen]

Hello,

I am attempting to get optional SRTP to work based on rfc 8643.  I have found that I can configure FreeSWITCH to allow for crypto in RTP/AVP, but I don't seem to get it to work fully.

I've used the configuration elements rtp_allow_crypto_in_avp and  NDLB-allow-crypto-in-avp.  Both give me the same results but neither fully works.

I found in the archives another person who experienced this same issue.  It was in October of 2018 and is titled 'Accepting an "optional" SRTP offer (crypto in RTP/AVP) and establishing SRTP'.  In that case, he was using version 1.6.20.  From the responses, it seemed like in 1.8.2 it was possibly supposed to be working.  I'm using 1.8.5 and I have tried it in 1.10.3 as well but they both seem to behave the same.

A recap of what is in the SDP offer and the SDP answer are as follows:

The endpoint is signaling optional SRTP according to rfc 8643 by sending a crypto token or a fingerprint in the SDP for a media descriptor that is signaled as RTP/AVP.
                m=audio 58702 RTP/AVP 0 8 101
c=IN IP4 65.37.249.200
b=AS:64
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:30
a=crypto:1 AES_256_CM_HMAC_SHA1_80 inline:8u1pUNOnFJUWKAa25GEtyFnHebV6AHrdpDgZ47nYBU6AtxlWiECv+RZPOSjW5g==
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:q3iDyAquDcVye5MVFF4NR2Krli3PdmSwxMKGFK8D
a=setup:active
a=fingerprint:sha-1 5F:29:44:20:8A:CB:81:1C:DC:9B:B0:C6:4D:EB:01:C1:6B:B8:CE:8E

I can see in the console log that the initially prepared SDP answer contains an m-line with RTP/SAVP and it also contains the selected crypto attribute for the response.
m=audio 25190 RTP/SAVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:30
a=sendrecv
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:JfypK+0Vu1y6WXx0B/hhARVcvzYmO0Tt3xRJGx3o

Yet before it is sent, it is changed to have the media channels disabled.
                m=audio 0 RTP/AVP 19

What else do I need to do to get this to work with optional encryption coming in the SDP-Offer?


Thanks.

Eugene Christensen

CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen at sorenson.com<mailto:echristensen at sorenson.com> or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20200714/b33d6f50/attachment-0001.html>