Hey Matthias,
Thanks for the reply, and the pointers!
I guess the thing that’s confusing me most is that in my existing config, the 183 reply from Asterisk comes in as RTP/AVP and then Kamailio *does* change it to RTP/SAVP in the
183 forwarded to teams *and* the same thing happens for the subsequent 200 OK. So to me that indicates that rtpengine_manage is already re-writing the SDP offers between RTP and SRTP to some level? But for some reason the crypto attribute is still missing
in this one case.
If I remove my attempts to re-write to/from RTP/SAVP then it’s RTP/AVP all the way through (as that’s what Asterisk sends to Kamailio) and it gets rejected because SRTP is required,
whereas right now it fails because SRTP fails to negotiate – so it’s not the same error.
Regardless,
I am still working on a solution based on what you’ve said where I more explicitly call rtpengine_manage and pass in RTP/AVP or SAVP in MANAGE_BRANCH and MANAGE_REPLY. But no luck yet! Still missing
the crypto attribute in the same spot unfortunately.
Thanks.
Rhys Hanrahan | Chief Information Officer
e: rhys@nexusone.com.au
NEXUS ONE | FUSION
TECHNOLOGY SOLUTIONS
p: 1800 NEXUS1 (1800 639 871) or 1800 565 845 | a: Suite 12.03 Level 12, 227 Elizabeth
Street, Sydney NSW 2000
www.nexusone.com.au | www.fusiontech.com.au
The information in this email and any accompanying attachments may contain; a. Confidential information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or
third parties; b. Legally privileged information of Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties; and or c. Copyright material Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd or third parties. If you have received this email
in error, please notify the sender immediately and delete this message. Fusion Technology Solutions Pty Ltd, Nexus One Pty Ltd does not accept any responsibility for loss or damage arising from the use or distribution of this email.
Please consider the environment before printing this email.
From: sr-users <sr-users-bounces@lists.kamailio.org> on behalf of Matthias Urlichs <matthias@urlichs.de>
Reply to: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>
Date: Thursday, 3 March 2022 at 11:06 pm
To: "sr-users@lists.kamailio.org" <sr-users@lists.kamailio.org>
Subject: Re: [SR-Users] rtpengine - SRTP <> RTP missing a=crypto
On 03.03.22 12:07, Rhys Hanrahan wrote:
Any advice appreciated, as this is my first time dealing with SRTP (and rtpengine). Feeling very stuck. Thanks!
Yeah, me too. ;-)
Basically you need to call "rtpengine_manage" with the correct parameter, i.e. either RTP/AVP or RTP/SAVP, based on whether audio to the destination of the message is to be encrypted or not. This applies to basically any message with "application/sdp" content,
i.e. both the INVITE *and* the 183 or 200 reply.
Thus if you relay from encrypted to plaintext, the INVITE's handler needs to call rtpengine_manage("… RTP/AVP") and the response handler needs to call rtpengine_manage("… RTP/SAVP").
In my code I discover these settings (for both call source and destination) during the INVITE, then I save them in a couple of XAVU variables. All the other handlers just select source / destination based on whether the message's source IP address is the
same as the INVITE's.
IMHO it's way easier to program the whole thing in Python instead of Kamailio's language. This in turn would be much simpler if Kamailio used threads instead of separate processes and shared memory, but apparently you can't have everything. :-P
--
-- Matthias Urlichs