Index: channels/sip/include/sdp_crypto.h
===================================================================
--- channels/sip/include/sdp_crypto.h	(revision 398926)
+++ channels/sip/include/sdp_crypto.h	(working copy)
@@ -29,6 +29,7 @@
 #define _SDP_CRYPTO_H
 
 #include <asterisk/rtp_engine.h>
+#include "sip.h"
 
 struct sdp_crypto;
 struct sip_srtp;
@@ -53,11 +54,12 @@
  * \param attr the a:crypto line from SDP
  * \param rtp The rtp instance associated with the SDP being parsed
  * \param srtp SRTP structure
+ * \param pvt The SIP call
  *
  * \retval 0 success
  * \retval nonzero failure
  */
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp);
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp, struct sip_pvt *pvt);
 
 
 /*! \brief Generate an SRTP a=crypto offer
Index: channels/sip/sdp_crypto.c
===================================================================
--- channels/sip/sdp_crypto.c	(revision 398926)
+++ channels/sip/sdp_crypto.c	(working copy)
@@ -189,7 +189,7 @@
 	return res;
 }
 
-int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp)
+int sdp_crypto_process(struct sdp_crypto *p, const char *attr, struct ast_rtp_instance *rtp, struct sip_srtp *srtp, struct sip_pvt *pvt)
 {
 	char *str = NULL;
 	char *tag = NULL;
@@ -228,10 +228,18 @@
 	}
 
 	if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_80")) {
+		if (ast_test_flag(&pvt->flags[2], SIP_PAGE3_SRTP_TAG_32)) {
+			ast_log(LOG_WARNING, "Configuration forbids offered crypto suite: %s\n", suite);
+			return -1;
+		}
 		suite_val = AST_AES_CM_128_HMAC_SHA1_80;
 		ast_set_flag(srtp, SRTP_CRYPTO_TAG_80);
 		taglen = 80;
 	} else if (!strcmp(suite, "AES_CM_128_HMAC_SHA1_32")) {
+		if (!ast_test_flag(&pvt->flags[2], SIP_PAGE3_SRTP_TAG_32)) {
+			ast_log(LOG_WARNING, "Configuration forbids offered crypto suite: %s\n", suite);
+			return -1;
+		}
 		suite_val = AST_AES_CM_128_HMAC_SHA1_32;
 		ast_set_flag(srtp, SRTP_CRYPTO_TAG_32);
 		taglen = 32;
Index: channels/chan_sip.c
===================================================================
--- channels/chan_sip.c	(revision 398926)
+++ channels/chan_sip.c	(working copy)
@@ -33125,7 +33125,7 @@
 		return FALSE;
 	}
 
-	if (sdp_crypto_process((*srtp)->crypto, a, rtp, *srtp) < 0) {
+	if (sdp_crypto_process((*srtp)->crypto, a, rtp, *srtp, p) < 0) {
 		return FALSE;
 	}