Summary:ASTERISK-20905: Asterisk 200OK offers RTP/AVP for video when it should be RTP/SAVP due to SRTP (encryption=yes) being enabled
Reporter:Kristopher Lalletti (kris2k)Labels:
Date Opened:2013-01-08 08:29:37.000-0600Date Closed:2013-04-02 14:22:01
Versions:11.1.1 Frequency of
Environment:Linux 2.6.32-279.19.1.el6.i686 #1 SMP Wed Dec 19 04:30:58 UTC 2012 i686 i686 i386 GNU/LinuxAttachments:( 0) log.txt
( 1) rtp_crypto_video_text.diff
Description:In a context where the SIP endpoint enforces the use of SRTP via SIP TLS, we noticed that the requested video was RTP/SAVP, when Asterisk returned a video feed being RTP/AVP.

Comments:By: Jonathan Rose (jrose) 2013-02-13 10:51:24.612-0600

I think I see the problem.  I have an untested patch I'd like you to try for me. I'm pretty sure this was the cause since we are sending a using crypto struct here meant to be strictly for the audio which doesn't get set until later.

By: Jonathan Rose (jrose) 2013-02-15 11:35:17.097-0600

I'm pretty sure the patch I committed fixed the problem, so I'm going to go ahead and close this.  If it turns out not to be the case, we can re-open it later.

By: Kristopher Lalletti (kris2k) 2013-02-16 09:10:43.923-0600

Sadly, no the patch didn't work.

Now asterisk reports "chan_sip.c: Can't provide secure video requested in SDP offer" when I tap the video key on my device while dialed-in to the echo application..

By: Shaun Clark (shaunc869) 2013-03-06 11:53:22.326-0600

Still an issue for me, can we re-open this issue?

By: Jonathan Rose (jrose) 2013-03-06 14:35:55.819-0600

Kristopher: I'd appreciate some fresh logs with SIP debug enabled if you can provide them. While I'm at it, the sip.conf profile for the device (password stripped) and if you can make one, a PCAP would be nice.

By: Jonathan Rose (jrose) 2013-04-02 12:42:22.784-0500

Alright, so I've been poking around at this for most of the day and I've hit on a couple of amusing points in the process.

First, I've reproduced the problem in the description against 11.1.1 without TLS involved in the call. The requester starts the call with SRTP but not initially sending video, Asterisk responds with a 200 OK with RTP/SAVP for the audio, but RTP/AVP for the video. I've confirmed that the patch I wrote fixed that problem. Applying the patch made the OK Asterisk replied with used RTP/SAVP for the video as well.

Around the time I was writing these patches though, SVN 11 had developed a more general problem against RTP in general. This problem would cause numerous standard SRTP transmissions in Asterisk to not be unprotected and would result in noisy audio and just plain non-working video. This was fixed however by a patch written by Kinsey fairly recently (r384049). I don't know if that has anything to do with the problems seen in here, and I'm guessing not since I've been unable to reproduce the 'Can't provide secure video requested in SDP offer' message that Kristopher Lalletti mentioned in his last post. It does seem like a possible confounder though. Video calls that I have made after my original patch applied strictly against 11.1.1 (and not against SVN at that time since it had the white noise issue mentioned above) appear to work. Against the SVN revision where I applied this though, they don't work since the white noise problem fixed by r384049.

All of these observations though really just bring me back full circle. I don't know some critical details about the problem and I need both of you to clarify some very specific points for me.

1. Did video work with the unpatched 11.1.1 in spite of the offer for RTP/AVP in the OK? I imagine this is going to depend on the device. Jitsi in particular worked alright. According to its stream information, the video media was also being relayed as SRTP, but this might simply have been a consequence of how echo works (it would read encyrpted frames and see garbage probably and then retransmit the garbage which would appear perfectly normal on the device that is already set up to decrypt it).

2. When you tested the patch, did you check 11 out from SVN or did you apply this particular patch to 11.1.1?

  As requested back in early March, I would really appreciate detailed logs for when you get the "chan_sip.c: Can't provide secure video requested in SDP offer" log message. This is somewhat troubling to me since I haven't been able to reproduce that part of the problem using the data provided by the first log. If you don't want to do the PCAP for some reason, I might be able to figure out where this problem is coming from without that.

By: Matt Jordan (mjordan) 2013-04-02 14:21:47.737-0500

Summing up what Jonathan just wrote: with this patch, which is in 11.3.0, we no longer see the initial problem reported on this issue, and we're able to make video calls into Asterisk that are encrypted.

If you're still getting a warning or error message and a rejected video call, there is probably a different issue at work. If so, please open up a new issue in the issue tracker, attach a full log file with 'sip set debug on', and - preferably - include a pcap (obviously if you're not using TLS :-)).

As of right now, I'm going to go ahead and close this out as fixed.

By: Kristopher Lalletti (kris2k) 2013-04-04 19:31:12.166-0500

Unfortunately, too much time has passed and I've moved-on from this issue.

I'll make sure to give 11.3+ a try on my next version refresh, which will most-likely be in Q3 2013. If there's sill a misbehavior, I'll make sure to collect the requested logs, and open-up a new issue referencing this one.