26 Jul
2017
26 Jul
'17
7:40 a.m.
Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between
a telephone using TLS/SRTP and Asterisk. There are examples out there for
TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can
assume all phones using TLS want to use SRTP.
Thanks very much in advance.
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
26 Jul
26 Jul
12:06 p.m.
Hello,
for phones that are using tls, you can do the following tests:
- for incoming traffic: proto==TLS
- for outgoing traffic: after lookup location, the R-URI ($ru) should
have 'transport=tls'
For RTPEngine there are some flags to specify you want or not SDES SRTP,
I used them few times in the past, but I don't recall them by heart --
the docs should have them.
Cheers,
Daniel
On 26.07.17 06:40, David Cunningham wrote:
Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint
between a telephone using TLS/SRTP and Asterisk. There are examples
out there for TLS/SRTP with WebRTC, but we're using a plain hard
phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We
can assume all phones using TLS want to use SRTP.
Thanks very much in advance.
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
27 Jul
27 Jul
7:01 a.m.
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination is
using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone
rings but the call drops immediately when it answers. The issue is that
Asterisk doesn't like the 200 OK from the phone, which contains SRTP
information. The error logged by Asterisk is "Rejecting secure audio stream
without encryption details". I've included the SDP below.
Our questions now are:
1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never
sees the encryption information in the 200 OK?
2) Is there anything wrong with the SDP returned by the TLS phone? For
example, you mentioned before SDES SRTP and I wonder if the type of SRTP is
not acceptable for some reason.
SDP received by Asterisk:
v=0
o=- 1501126711 1501126711 IN IP4 10.100.3.246
s=Polycom IP Phone
c=IN IP4 10.100.3.246
t=0 0
a=sendrecv
m=audio 2224 RTP/SAVP 0 101
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:W3V1lIbwyW1DzSmx8/AFFttKNJaoAM6kux0AcLtp
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
The part of the Kamailio configuration which handles rtpengine is:
if ( nat_uac_test( "8" ) ) {
rtpengine_manage( "force replace-origin
replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force
RTP/SAVPF" );
} else {
rtpengine_manage( "force trust-address
replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer
ICE=force RTP/SAVPF" );
}
Thanks again.
On 26 July 2017 at 21:06, Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
for phones that are using tls, you can do the following tests:
- for incoming traffic: proto==TLS
- for outgoing traffic: after lookup location, the R-URI ($ru) should
have 'transport=tls'
For RTPEngine there are some flags to specify you want or not SDES SRTP, I
used them few times in the past, but I don't recall them by heart -- the
docs should have them.
Cheers,
Daniel
On 26.07.17 06:40, David Cunningham wrote:
Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between
a telephone using TLS/SRTP and Asterisk. There are examples out there for
TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can
assume all phones using TLS want to use SRTP.
Thanks very much in advance.
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092 <+1%20213-221-1092>
Australia: +61 (0) 2 8063 9019 <+61%202%208063%209019>
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierlawww.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
2:30 p.m.
On 07/27/2017 12:01 AM, David Cunningham wrote:
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination
is using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS
phone rings but the call drops immediately when it answers. The issue
is that Asterisk doesn't like the 200 OK from the phone, which
contains SRTP information. The error logged by Asterisk is "Rejecting
secure audio stream without encryption details". I've included the SDP
below.
Our questions now are:
1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk
never sees the encryption information in the 200 OK?
Yes, you just need to instruct rtpengine to translate the SDP to plain
RTP when sending to Asterisk. The appropriate flag to use in this case
would be `RTP/AVP`. Other flags might be relevant (e.g. if Asterisk
doesn't want to see any ICE information, use `ICE=remove`).
2) Is there anything wrong with the SDP returned by
the TLS phone? For
example, you mentioned before SDES SRTP and I wonder if the type of
SRTP is not acceptable for some reason.
This is also something you can control with flags given to rtpengine in
the other direction (plain RTP being translated to SRTP). By default,
both SDES and DTLS are offered. Either can be disabled by `SDES-off` and
`DTLS=off` respectively. Please see the docs at https://goo.gl/ivMQ6C
Cheers
31 Jul
31 Jul
6:01 a.m.
Hi Richard,
Thank you for the reply, it makes sense. We're using a line like this for
calls from plain RTP to SRTP, however the SDP arrives at the TLS phone with
no mention of encryption. Have you any idea what's wrong?
rtpengine_manage( "force trust-address replace-origin
replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force
RTP/SAVPF" );
I've also attached the rtpengine log in case it helps.
Thanks very much.
On 27 July 2017 at 23:30, Richard Fuchs <rfuchs(a)sipwise.com> wrote:
On 07/27/2017 12:01 AM, David Cunningham wrote:
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination is
using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS
phone rings but the call drops immediately when it answers. The issue is
that Asterisk doesn't like the 200 OK from the phone, which contains SRTP
information. The error logged by Asterisk is "Rejecting secure audio stream
without encryption details". I've included the SDP below.
Our questions now are:
1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never
sees the encryption information in the 200 OK?
Yes, you just need to instruct rtpengine to translate the SDP to plain RTP
when sending to Asterisk. The appropriate flag to use in this case would be
`RTP/AVP`. Other flags might be relevant (e.g. if Asterisk doesn't want to
see any ICE information, use `ICE=remove`).
2) Is there anything wrong with the SDP returned by the TLS phone? For
example, you mentioned before SDES SRTP and I
wonder if the type of SRTP is
not acceptable for some reason.
This is also something you can control with flags given to rtpengine in
the other direction (plain RTP being translated to SRTP). By default, both
SDES and DTLS are offered. Either can be disabled by `SDES-off` and
`DTLS=off` respectively. Please see the docs at https://goo.gl/ivMQ6C
Cheers
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2:47 p.m.
On 30/07/17 11:01 PM, David Cunningham wrote:
Hi Richard,
Thank you for the reply, it makes sense. We're using a line like this
for calls from plain RTP to SRTP, however the SDP arrives at the TLS
phone with no mention of encryption. Have you any idea what's wrong?
rtpengine_manage( "force trust-address replace-origin
replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force
RTP/SAVPF" );
It must be getting its SDP from somewhere else then :)
The log clearly shows rtpengine translating the incoming SDP:
...
m=audio 12242 RTP/AVP 0 9 8 10 3 111 5 7 110 97 101
...
to an outgoing SRTP SDP:
...
m=audio 48144 RTP/SAVPF 0 9 8 10 3 111 5 7 110 97 101
...
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:8kPQ4PUH3WRN/kALaLWkBh82FX2WW0WVRVMuAb1O
a=setup:actpass
a=fingerprint:sha-1
8E:5F:0B:B1:BA:AC:62:3C:C7:A6:F5:04:23:DA:0F:90:48:A3:C6:EF
...
Cheers
2671
days inactive
2676
days old
5 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
David Cunningham -
Richard Fuchs