Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between a telephone using TLS/SRTP and Asterisk. There are examples out there for TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can assume all phones using TLS want to use SRTP.
Thanks very much in advance.
Hello,
for phones that are using tls, you can do the following tests:
- for incoming traffic: proto==TLS - for outgoing traffic: after lookup location, the R-URI ($ru) should have 'transport=tls'
For RTPEngine there are some flags to specify you want or not SDES SRTP, I used them few times in the past, but I don't recall them by heart -- the docs should have them.
Cheers, Daniel
On 26.07.17 06:40, David Cunningham wrote:
Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between a telephone using TLS/SRTP and Asterisk. There are examples out there for TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can assume all phones using TLS want to use SRTP.
Thanks very much in advance.
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 Australia: +61 (0) 2 8063 9019
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination is using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone rings but the call drops immediately when it answers. The issue is that Asterisk doesn't like the 200 OK from the phone, which contains SRTP information. The error logged by Asterisk is "Rejecting secure audio stream without encryption details". I've included the SDP below.
Our questions now are: 1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never sees the encryption information in the 200 OK? 2) Is there anything wrong with the SDP returned by the TLS phone? For example, you mentioned before SDES SRTP and I wonder if the type of SRTP is not acceptable for some reason.
SDP received by Asterisk:
v=0 o=- 1501126711 1501126711 IN IP4 10.100.3.246 s=Polycom IP Phone c=IN IP4 10.100.3.246 t=0 0 a=sendrecv m=audio 2224 RTP/SAVP 0 101 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:W3V1lIbwyW1DzSmx8/AFFttKNJaoAM6kux0AcLtp a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000
The part of the Kamailio configuration which handles rtpengine is:
if ( nat_uac_test( "8" ) ) { rtpengine_manage( "force replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" ); } else { rtpengine_manage( "force trust-address replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" ); }
Thanks again.
On 26 July 2017 at 21:06, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
for phones that are using tls, you can do the following tests:
- for incoming traffic: proto==TLS
- for outgoing traffic: after lookup location, the R-URI ($ru) should
have 'transport=tls'
For RTPEngine there are some flags to specify you want or not SDES SRTP, I used them few times in the past, but I don't recall them by heart -- the docs should have them.
Cheers, Daniel
On 26.07.17 06:40, David Cunningham wrote:
Hello,
We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between a telephone using TLS/SRTP and Asterisk. There are examples out there for TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
Would anyone be able to point us towards a Kamaiio configuration which:
a) Tests if the destination phone (stored using usrloc) uses TLS.
b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can assume all phones using TLS want to use SRTP.
Thanks very much in advance.
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 <+1%20213-221-1092> Australia: +61 (0) 2 8063 9019 <+61%202%208063%209019>
Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierlawww.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
On 07/27/2017 12:01 AM, David Cunningham wrote:
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination is using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone rings but the call drops immediately when it answers. The issue is that Asterisk doesn't like the 200 OK from the phone, which contains SRTP information. The error logged by Asterisk is "Rejecting secure audio stream without encryption details". I've included the SDP below.
Our questions now are:
- Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never sees the encryption information in the 200 OK?
Yes, you just need to instruct rtpengine to translate the SDP to plain RTP when sending to Asterisk. The appropriate flag to use in this case would be `RTP/AVP`. Other flags might be relevant (e.g. if Asterisk doesn't want to see any ICE information, use `ICE=remove`).
- Is there anything wrong with the SDP returned by the TLS phone? For
example, you mentioned before SDES SRTP and I wonder if the type of SRTP is not acceptable for some reason.
This is also something you can control with flags given to rtpengine in the other direction (plain RTP being translated to SRTP). By default, both SDES and DTLS are offered. Either can be disabled by `SDES-off` and `DTLS=off` respectively. Please see the docs at https://goo.gl/ivMQ6C
Cheers
Hi Richard,
Thank you for the reply, it makes sense. We're using a line like this for calls from plain RTP to SRTP, however the SDP arrives at the TLS phone with no mention of encryption. Have you any idea what's wrong?
rtpengine_manage( "force trust-address replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" );
I've also attached the rtpengine log in case it helps.
Thanks very much.
On 27 July 2017 at 23:30, Richard Fuchs rfuchs@sipwise.com wrote:
On 07/27/2017 12:01 AM, David Cunningham wrote:
Hi Daniel,
Thanks very much for that reply. We now detect whether the destination is using TLS successfully using $ru and pcre_match().
Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone rings but the call drops immediately when it answers. The issue is that Asterisk doesn't like the 200 OK from the phone, which contains SRTP information. The error logged by Asterisk is "Rejecting secure audio stream without encryption details". I've included the SDP below.
Our questions now are:
- Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never sees the encryption information in the 200 OK?
Yes, you just need to instruct rtpengine to translate the SDP to plain RTP when sending to Asterisk. The appropriate flag to use in this case would be `RTP/AVP`. Other flags might be relevant (e.g. if Asterisk doesn't want to see any ICE information, use `ICE=remove`).
- Is there anything wrong with the SDP returned by the TLS phone? For
example, you mentioned before SDES SRTP and I wonder if the type of SRTP is not acceptable for some reason.
This is also something you can control with flags given to rtpengine in the other direction (plain RTP being translated to SRTP). By default, both SDES and DTLS are offered. Either can be disabled by `SDES-off` and `DTLS=off` respectively. Please see the docs at https://goo.gl/ivMQ6C
Cheers
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On 30/07/17 11:01 PM, David Cunningham wrote:
Hi Richard,
Thank you for the reply, it makes sense. We're using a line like this for calls from plain RTP to SRTP, however the SDP arrives at the TLS phone with no mention of encryption. Have you any idea what's wrong?
rtpengine_manage( "force trust-address replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" );
It must be getting its SDP from somewhere else then :)
The log clearly shows rtpengine translating the incoming SDP:
... m=audio 12242 RTP/AVP 0 9 8 10 3 111 5 7 110 97 101 ...
to an outgoing SRTP SDP:
... m=audio 48144 RTP/SAVPF 0 9 8 10 3 111 5 7 110 97 101 ... a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:8kPQ4PUH3WRN/kALaLWkBh82FX2WW0WVRVMuAb1O a=setup:actpass a=fingerprint:sha-1 8E:5F:0B:B1:BA:AC:62:3C:C7:A6:F5:04:23:DA:0F:90:48:A3:C6:EF ...
Cheers
-
Daniel-Constantin Mierla -
David Cunningham -
Richard Fuchs