ASTERISK-22748: SRTP Crypto Offer With Lifetime Not Accepted

[Home]

Summary: ASTERISK-22748: SRTP Crypto Offer With Lifetime Not Accepted

Reporter: Alejandro Mejia (amejia) Labels:

Date Opened: 2013-10-22 20:20:00 Date Closed: 2013-10-23 10:39:58

Priority: Major Regression?

Status: Closed/Complete Components: Channels/chan_sip/SRTP Channels/chan_sip/TCP-TLS

Versions: 11.5.1 Frequency of
Occurrence

Related
Issues:
duplicates ASTERISK-20233 SRTP not working with some devices (Eg Grandstream gxv3175) - Message "Can't provide secure audio requested in SDP offer"

is related to ASTERISK-17721 Incoming SRTP calls that specify a key lifetime fail

is related to ASTERISK-17899 Handle crypto lifetime in SDES-SRTP negotiation

Environment: FreePBX with Asterisk 11.5.1 recompiled Attachments:

Description: When {{a=crypto:1}} and {{a=crypto:2}} are not coming right after {{m=audio}} on SDP message from certain SIP clients (Grandstream phones for example), Asterisk ignores the crypto parameters and issues the following errors:

{noformat}
NOTICE[20186][C-00000042]: sip/sdp_crypto.c:265 sdp_crypto_process: SRTP crypto offer not acceptable
WARNING[20186][C-00000042]: chan_sip.c:10454 process_sdp: Rejecting secure audio stream without encryption details: audio 5004 RTP/SAVP 0 8 4 18 9 97 2 101
{noformat}

This resulting on a "Not Acceptable Here" SIP error.

The following SDP informations are from Yealink phone, and Grandstream phone.

Yealink (call goes through without issues):
{noformat}
v=0
o=- 20013 20013 IN IP4 10.28.128.187
s=SDP data
c=IN IP4 10.28.128.187
t=0 0
m=audio 11792 RTP/SAVP 0 8 18 9 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:NmU0NTlkM2QzNDkzNGFiNzVjYjE2MWI2ZDcyMWZk
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:M2JhMmJmYmM4OGIxNDRlADY5NDQ5NjMANjljM2Qz
a=crypto:3 F8_128_HMAC_SHA1_80 inline:Mzk2NDY1NWExYTdkYWI3YTdmOTc1MWZmNmRlYTkx
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
{noformat}

Grandstream phone (call won't go through):
{noformat}
v=0
o=898 8000 8000 IN IP4 10.28.128.97
s=SIP Call
c=IN IP4 10.28.128.97
t=0 0
m=audio 5004 RTP/SAVP 0 8 4 18 9 97 2 101
a=sendrecv
a=rtpmap:0 PCMU/8000
a=ptime:20
a=rtpmap:8 PCMA/8000
a=rtpmap:4 G723/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:2 G726-32/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Ar/jYxzGz1lLcROAnVi8IFGB2VJlynqKBhjaVvgb|2^32
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:CPvb7F73si5R/Z9kfT28OV0NujdfHwHaqQfyg13q|2^32
{noformat}

Comments: By: Michael L. Young (elguero) 2013-10-23 10:38:49.193-0500

Alejandro,

You must be getting log messages like this when using the Grandstream:
{noformat}
"Crypto life time unsupported: crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Ar/jYxzGz1lLcROAnVi8IFGB2VJlynqKBhjaVvgb|2^32"
"Crypto life time unsupported: crypto:2 AES_CM_128_HMAC_SHA1_32 inline:CPvb7F73si5R/Z9kfT28OV0NujdfHwHaqQfyg13q|2^32"
{noformat}

Asterisk does not support lifetime for cryptographic keys, which is the part that follows the "|".

Take a look at this FAQ on Grandstream's website for extra information.
http://www.grandstream.com/support/faq/gxp-enterprise-phone-series#25

Unless you can provide a patch to add this feature, we need to close this out since we do not accept feature requests through the bug tracker. You can feel free to bring this up on the mailing lists and see if anyone would be able to help add this support.