Summary:ASTERISK-17103: Unable to establish SRTP if receive INVITE with no SDP
Reporter:Bob Beers (bbeers)Labels:
Date Opened:2010-12-13 16:26:26.000-0600Date Closed:2012-02-27 12:39:51.000-0600
Versions:Frequency of
Environment:Attachments:( 0) 18470-Cisco_Invite_Without_SDP.txt
Description:Asterisk does not include an a=crypto line in SDP of 200 OK after
receiving an INVITE with no SDP.
encryption=yes in sip.conf.
Comments:By: David Woolley (davidw) 2010-12-16 11:12:55.000-0600

There is a tenuous relationship with ASTERISK-13496, in that I think there are deep problems in the way the first SDP on OK case is handled.  I submitted a patch for this against the related ASTERISK-16583, but I think only the short term workaround actually went into the code.

As I remember it, part of the problem is a failure to properly decouple the SDP negotiation from the SIP level dialogue.  As I remember it, it tries to treat the SDP on an OK as a funny sort of reponse, when it is actually a first offer.

By: David Woolley (davidw) 2010-12-16 11:21:52.000-0600

Incidentally, the current issue started life as http://forums.digium.com/viewtopic.php?f=1&t=76452

By: Russell Bryant (russell) 2010-12-16 14:43:56.000-0600

Please include a SIP trace of a call that demonstrates the problem.

By: Bob Beers (bbeers) 2010-12-20 15:18:16.000-0600

I can't get the specific trace until sometime next week, when
my guy is back in the lab where the "offending" CCM is.  
Meanwhile I will see if I can recreate the scenario with SIPP.

By: Bob Beers (bbeers) 2011-01-04 10:53:51.000-0600

ok, trace is uploaded. I stripped almost all the dialplan debug
messages and left the relevant leg SIP messages.
Interesting, I think, that asterisk recognized the issue.
Last line of trace is this:

[Jan  3 13:37:44] WARNING[25250]: chan_sip.c:8785 process_sdp: Matched device setup to use SRTP, but request was not!

By: Bob Beers (bbeers) 2011-01-25 10:24:32.000-0600

Sorry, attached a patch intended for issue 18674.
Hmmm, can I delete it from this issue?
Anyway, it is not directly relevant to this issue.

edit:issue # where patch should have gone.

By: Kinsey Moore (kmoore) 2012-02-10 08:59:43.870-0600

The documentation in the sample sip config makes it clear that the encryption option only applies to outbound calls.  As a workaround, you might try setting your cisco device to "early offer" instead of "delayed offer" if that option is available to you.  I'll see what I can do to add this feature (which will only go into trunk since it changes behavior), but if it's more than a couple hours worth of work then this will be closed as a feature request.

By: Kinsey Moore (kmoore) 2012-02-10 11:02:15.726-0600

Keeping some notes here so I don't forget, srtp is only initialized on incoming invites if there is a crypto offer or on outbound calls if encryption=yes is set.  This would need to be provided for in sending out the 200 OK as well.

By: Kinsey Moore (kmoore) 2012-02-27 12:39:51.862-0600

Features requests are no longer submitted to or accepted through the issue tracker. Features requests are openly discussed on the mailing lists [1] and Asterisk IRC channels and made note of by Bug Marshals.

[1] http://www.asterisk.org/support/mailing-lists

If you happen to come back to this issue and have a patch that enables this feature, we're happy to accept patches for features in this issue tracker.