Asterisk sRTP installation and configuration

Posted on June 4, 2010

In the current release Asterisk does support SIP/TLS but it does not support sRTP, this feature is planned for the next major release 1.8. From the roadmap page you can track the progress and the estimated release dates for this feature:

Here is the line that interests us

0005413: [Channels/chan_sip/NewFeature]  1[branch] Secure RTP (SRTP) (twilson) - assigned.

You can find further details on this on bug 0005413

The good news is that with SVN we can already play with these features through the srtp_reboot repository, lets set all this up.

[ad#Google Adsense]

The installation

I’m assuming Asterisk was already setup on the system so all dependencies are already there (libxml2-dev …), same thing for the compilation tools (build-essential …) and SVN (subversion …) stuff.

First steps will be to install the srtp libraries, those libraries are included in Debian BUT THEY DO NOT WORK with Asterisk sRTP … You have to get the sources from http://srtp.sourceforge.net/download.html

[email protected]:/usr/src# wget http://srtp.sourceforge.net/srtp-1.4.2.tgz
--2010-06-04 00:23:11--  http://srtp.sourceforge.net/srtp-1.4.2.tgz
Resolving srtp.sourceforge.net... 216.34.181.96
Connecting to srtp.sourceforge.net|216.34.181.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 488333 (477K) [application/x-gzip]
Saving to: “srtp-1.4.2.tgz”

100%[==================================>] 488,333      153K/s   in 3.1s

2010-06-04 00:23:38 (153 KB/s) - “srtp-1.4.2.tgz” saved [488333/488333]

[email protected]:/usr/src# tar xfzv srtp-1.4.2.tgz
srtp/
srtp/.cvsignore
[...]
srtp/update.sh
srtp/VERSION
[email protected]:/usr/src# cd srtp
[email protected]:/usr/src/srtp# ls
CHANGES       config_in.h  configure	 crypto  doc	  install-sh  Makefile.in  srtp    test    TODO      update.sh
config.guess  config.sub   configure.in  CVS	 include  LICENSE     README	   tables  timing  undos.sh  VERSION
[email protected]:/usr/src/srtp#
[email protected]:/usr/src/srtp# ./configure --prefix=/usr
checking for ranlib... ranlib
checking for gcc... gcc
[...]
config.status: creating doc/Makefile
config.status: creating crypto/include/config.h
[email protected]:/usr/src/srtp#

At this point there is a trick… If you run make now you will get an error when compiling the sRTP branch

   [LD] res_srtp.o -> res_srtp.so
/usr/bin/ld: /usr/local/lib/libsrtp.a(srtp.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/local/lib/libsrtp.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[1]: *** [res_srtp.so] Error 1
make: *** [res] Error 2

To avoid this modify the Makefile, replace

CFLAGS	= -Wall -O4 -fexpensive-optimizations -funroll-loops

with

CFLAGS	= -fPIC -Wall -O4 -fexpensive-optimizations -funroll-loops

Now compile …

[email protected]:/usr/src/srtp# make
gcc -DHAVE_CONFIG_H -Icrypto/include -I./include -I./crypto/include  -fPIC -Wall -O4 -fexpensive-optimizations -funroll-loops -c srtp/srtp.c -o srtp/srtp.o
gcc -DHAVE_CONFIG_H -Icrypto/include -I./include -I./crypto/include  -fPIC -Wall -O4 -fexpensive-optimizations -funroll-loops -c crypto/cipher/cipher.c -o crypto/cipher/cipher.o
[...]
gcc -DHAVE_CONFIG_H -Icrypto/include -I./include -I./crypto/include  -fPIC -Wall -O4 -fexpensive-optimizations -funroll-loops -L. -o test/rtpw test/rtpw.c test/rtp.c libsrtp.a  -lsrtp
Build done. Please run 'make runtest' to run self tests.

… and install

[email protected]:/usr/src/srtp# make install
/usr/bin/install -c -d /usr/include/srtp
/usr/bin/install -c -d /usr/lib
cp include/*.h /usr/include/srtp
cp crypto/include/*.h /usr/include/srtp
if [ -f libsrtp.a ]; then cp libsrtp.a /usr/lib/; fi

Ok, once we have the libraries it’s time to get the sources, for that we-ll be using the svn command to checkout the repository. The full command is svn checkout http://svn.asterisk.org/svn/asterisk/team/group/srtp_reboot

[email protected]:/usr/src# svn checkout http://svn.asterisk.org/svn/asterisk/team/group/srtp_reboot
A    srtp_reboot/build_tools
A    srtp_reboot/build_tools/cflags-devmode.xml
A    srtp_reboot/build_tools/get_makeopts

[...]

Checked out revision 766.
Checked out revision 266284.

Now that we have the sources we need to configure them. Note that if you do not active SSL in the configure TLS will not be available and to enable SSL you need the following package on Debian – libssl-dev

[email protected]:/usr/src/srtp_reboot# ./configure --with-ssl
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
[...]
config.status: creating include/asterisk/autoconfig.h

               .$$$$$$$$$$$$$$$=..
            .$7$7..          .7$$7:.
          .$$:.                 ,$7.7
        .$7.     7$$$$           .$$77
     ..$$.       $$$$$            .$$$7
    ..7$   .?.   $$$$$   .?.       7$$$.
   $.$.   .$$$7. $$$$7 .7$$$.      .$$$.
 .777.   .$$$$$$77$$$77$$$$$7.      $$$,
 $$$~      .7$$$$$$$$$$$$$7.       .$$$.
.$$7          .7$$$$$$$7:          ?$$$.
$$$          ?7$$$$$$$$$$I        .$$$7
$$$       .7$$$$$$$$$$$$$$$$      :$$$.
$$$       $$$$$$7$$$$$$$$$$$$    .$$$.
$$$        $$$   7$$$7  .$$$    .$$$.
$$$$             $$$$7         .$$$.
7$$$7            7$$$$        7$$$
 $$$$$                        $$$
  $$$$7.                       $$  (TM)
   $$$$$$$.           .7$$$$$$  $$
     $$$$$$$$$$$$7$$$$$$$$$.$$$$$$
       $$$$$$$$$$$$$$$$.

configure: Package configured for:
configure: OS type  : linux-gnu
configure: Host CPU : x86_64
configure: build-cpu:vendor:os: x86_64 : unknown : linux-gnu :
configure: host-cpu:vendor:os: x86_64 : unknown : linux-gnu :

We need to make sure Asterisk sRTP module is selected in the build, to do this we need to go in the menuconfig

[email protected]:/usr/src/srtp_reboot# make menuconfig
CC="cc" CXX="g++" LD="" AR="" RANLIB="" CFLAGS="" make -C menuselect CONFIGURE_SILENT="--silent" makeopts
make[1]: Entering directory `/usr/src/srtp_reboot/menuselect'
make[1]: `makeopts' is up to date.
[...]

Go to the Resource Modules section and check that res_srtp is selected

**************************************************
    Asterisk Module and Build Option Selection
**************************************************
                Press 'h' for help.
               [*] res_adsi
               [*] res_ael_share
               [*] res_agi
               XXX res_ais
               [*] res_calendar
               XXX res_calendar_caldav
               XXX res_calendar_ews
               XXX res_calendar_exchange
               XXX res_calendar_icalendar
               [*] res_clialiases
               [*] res_clioriginate
               XXX res_config_curl
               XXX res_config_ldap
               XXX res_config_odbc
               XXX res_config_pgsql
               XXX res_config_sqlite
               [*] res_convert
               [*] res_crypto
               XXX res_curl
               [*] res_fax
               XXX res_fax_spandsp
               XXX res_http_post
               XXX res_jabber
               [*] res_limit
               [*] res_monitor
               [*] res_musiconhold
               [*] res_mutestream
               XXX res_odbc
               [*] res_phoneprov
               [ ] res_pktccops
               [*] res_realtime
               [*] res_rtp_asterisk
               [*] res_rtp_multicast
               [*] res_security_log
               [*] res_smdi
               XXX res_snmp
               [*] res_speech
               [*] res_srtp
               XXX res_timing_dahdi
               XXX res_timing_kqueue
               [*] res_timing_pthread
               [*] res_timing_timerfd

Here you can also active modules such as MySQL, CDR, other languages, codecs … Have a look through it.
When you’re ready we can build our new Asterisk …

[email protected]:/usr/src/srtp_reboot# make
CC="cc" CXX="g++" LD="" AR="" RANLIB="" CFLAGS="" make -C menuselect CONFIGURE_SILENT="--silent" makeopts
make[1]: Entering directory `/usr/src/srtp_reboot/menuselect'
make[1]: `makeopts' is up to date.
make[1]: Leaving directory `/usr/src/srtp_reboot/menuselect'
menuselect/menuselect --check-deps menuselect.makeopts
menuselect/menuselect --check-deps menuselect.makeopts
Generating embedded module rules ...
   [CC] chan_agent.c -> chan_agent.o
[...]
   [LD] abstract_jb.o acl.o adsistub.o aescrypt.o aeskey.o aestab.o alaw.o app.o ast_expr2.o ast_expr2f.o asterisk.o astfd.o astmm.o astobj2.o audiohook.o autochan.o autoservice.o bridging.o callerid.o ccss.o cdr.o cel.o channel.o chanvars.o cli.o config.o cryptostub.o data.o datastore.o db.o devicestate.o dial.o dns.o dnsmgr.o dsp.o enum.o event.o features.o file.o fixedjitterbuf.o frame.o fskmodem.o global_datastores.o hashtab.o heap.o http.o image.o indications.o io.o jitterbuf.o loader.o lock.o logger.o manager.o md5.o netsock.o pbx.o plc.o poll.o privacy.o rtp_engine.o say.o sched.o security_events.o sha1.o slinfactory.o srv.o ssl.o stdtime/localtime.o strcompat.o strings.o stun.o syslog.o taskprocessor.o tcptls.o tdd.o term.o test.o threadstorage.o timing.o translate.o udptl.o ulaw.o utils.o version.o xml.o xmldoc.o editline/libedit.a db1-ast/libdb1.a  -> asterisk
 +--------- Asterisk Build Complete ---------+
 + Asterisk has successfully been built, and +
 + can be installed by running:              +
 +                                           +
 +                make install               +
 +-------------------------------------------+

… install it …

[email protected]:/usr/src/srtp_reboot# make install
CC="cc" CXX="g++" LD="" AR="" RANLIB="" CFLAGS="" make -C menuselect CONFIGURE_SILENT="--silent" makeopts
make[1]: Entering directory `/usr/src/srtp_reboot/menuselect'
make[1]: `makeopts' is up to date.
make[1]: Leaving directory `/usr/src/srtp_reboot/menuselect'
CFLAGS="  -I/usr/include/libxml2 -pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -g3 -march=k8  " build_tools/mkpkgconfig /usr/lib/pkgconfig;
[...]
make[1]: Entering directory `/usr/src/srtp_reboot/sounds'
--2010-06-04 00:41:07--  http://downloads.asterisk.org/pub/telephony/sounds/releases/asterisk-core-sounds-en-gsm-1.4.19.tar.gz
Resolving downloads.asterisk.org... 76.164.171.233, 2001:470:e0d4::e9
Connecting to downloads.asterisk.org|76.164.171.233|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1784830 (1.7M) [application/x-gzip]
Saving to: “asterisk-core-sounds-en-gsm-1.4.19.tar.gz”

100%[======================================>] 1,784,830    431K/s   in 5.2s

2010-06-04 00:41:12 (335 KB/s) - “asterisk-core-sounds-en-gsm-1.4.19.tar.gz” saved [1784830/1784830]
[...]
if [ -f contrib/firmware/iax/iaxy.bin ] ; then 
		/usr/bin/install -c -m 644 contrib/firmware/iax/iaxy.bin /var/lib/asterisk/firmware/iax/iaxy.bin; 
	fi
 +---- Asterisk Installation Complete -------+
 +                                           +
 +    YOU MUST READ THE SECURITY DOCUMENT    +
 +                                           +
 + Asterisk has successfully been installed. +
 + If you would like to install the sample   +
 + configuration files (overwriting any      +
 + existing config files), run:              +
 +                                           +
 +                make samples               +
 +                                           +
 +-----------------  or ---------------------+
 +                                           +
 + You can go ahead and install the asterisk +
 + program documentation now or later run:   +
 +                                           +
 +               make progdocs               +
 +                                           +
 + **Note** This requires that you have      +
 + doxygen installed on your local system    +
 +-------------------------------------------+

… and install the sample configuration

[email protected]:/usr/src/srtp_reboot# make samples
Installing adsi config files...
Installing configs/asterisk.adsi
[...]
Installing file phoneprov/polycom_line.xml
Installing file phoneprov/polycom.xml

At this point we have Asterisk with sRTP installed on our system, it’s time to move to the configuration part.

[ad#Google Adsense]

The configuration

First we need to configure the TLS part which I won’t re-explain here as there is already a post dedicated to that – http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/.

Note that if you’re installing this sRTP version for a test lab (which is most probably the case as it’s a dev release) remember to set the common name (Common Name (eg, YOUR name) ) to the IP address of your server if you don’t have a DNS attached to it. I really mean a DNS, using the host file is not enough on clients such as Bria it will do a DNS lookup even if it’s in the host file:

[10-06-04]17:07:43.271 | MaxDetails | Resip | "RESIP:DNS:DNS query of:sip.remiphilippe.fr A" |
[10-06-04]17:07:43.271 | MaxDetails | Resip | "RESIP:DNS:sip.remiphilippe.fr not cached. Doing external dns lookup" |

At this point you should have a fully configure Asterisk with SIP/TLS. Give it a try before going further, it won’t be easy to debug otherwise.
Let’s start Asterisk in debug mode asterisk -vvvvvvvvvvvvvgc

[email protected]:/etc/asterisk# asterisk -vvvvvvvvvvvvvdg
Asterisk SVN-group-srtp_reboot-r267105-/trunk, Copyright (C) 1999 - 2010 Digium, Inc. and others.
Created by Mark Spencer <[email protected]>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
  == Parsing '/etc/asterisk/asterisk.conf': Parsing /etc/asterisk/asterisk.conf
  == Found
[...]
 res_srtp.so => (Secure RTP (SRTP))
[...]
SIP channel loading...
  == Parsing '/etc/asterisk/sip.conf':   == Found
  == Parsing '/etc/asterisk/users.conf':   == Found
  == SIP Listening on 0.0.0.0:5060
  == Using SIP CoS mark 4
SSL certificate ok
[...]
Asterisk Ready.
  == Parsing '/etc/asterisk/cli.conf':   == Found

Now let’s register our client

    -- Registered SIP '100' at 10.211.55.2 port 36047
       > Saved useragent "Bria 3.0 release 3.0 stamp 56426" for peer 100
*CLI> sip show tcp
Host                           Port Transport   Type
10.211.55.2                    36047  TLS       Server

Ok, lets check our debugs to make sure we’re doing TLS

<--- SIP read from TLS:10.211.55.2:55055 --->
REGISTER sip:10.211.55.4 SIP/2.0
Via: SIP/2.0/TLS 10.211.55.2:58051;branch=z9hG4bK-d8754z-8c7a7b6f523c870e-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:58051;rinstance=103b7e45304feaf6;transport=TLS>
To: <sip:[email protected]>
From: <sip:[email protected]>;tag=3c562a2e
Call-ID: YjgyMWU2YjAxZmQwZjNkMTFiZGE3NGQwYmI3MjUzOTc.
CSeq: 2 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: Bria 3.0 release 3.0 stamp 56426
Authorization: Digest username="100", realm="asterisk", nonce="1860f498", uri="sip:10.211.55.4", response="0659c192b0e2c243693bb3c8725c4d3f", algorithm=MD5
Content-Length: 0

Everything looks good, we have a registered client and it’s using TLS. We can now configure the sRTP part.

First step, we need to enable the sRTP capabilities for our client, this is done in the sip.conf file, you need to add the srtpcapable option to your user

[100]
srtpcapable=yes

and configure the dial plan to support SRTP if the client requests it

exten => 9999,1,Set(_SIP_SRTP_SDES=optional)
exten => 9999,n,VoiceMailMain(@home)

reload everything and Voila! You have a nice Asterisk supporting sRTP!
[ad#Google Adsense] Lets check it all

To check this lets make a call and see if it triggers our extensions configuration

    -- Executing [[email protected]:1] Set("SIP/100-00000000", "_SIP_SRTP_SDES=optional") in new stack
    -- Executing [[email protected]:2] VoiceMailMain("SIP/100-00000000", "@home") in new stack

Looks ok. Before finishing I tought it could be interesting to show the difference between a sRTP stream and a normal RTP stream using our debugs.
Here is the SDP for a normal RTP stream

<--- SIP read from TLS:10.211.55.2:55055 --->
INVITE sip:[email protected];transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.211.55.2:58051;branch=z9hG4bK-d8754z-15fce51cf5c8c222-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:58051;transport=TLS>
To: <sip:[email protected]>
From: <sip:[email protected]>;tag=99b97049
Call-ID: ODQwYmQ5MjMzMzE0MzE1Mzc2ZTcyZWZiNGQ1NTQzOWU.
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: Bria 3.0 release 3.0 stamp 56426
Authorization: Digest username="100",realm="asterisk",nonce="0ab8377e",uri="sip:[email protected];transport=tls",response="f5dd156275466e6ac5fa0b7721a4e88c",algorithm=MD5
Content-Length: 352

v=0
o=- 1275670294208647 1275670294208647 IN IP4 10.211.55.2
s=
c=IN IP4 10.211.55.2
t=0 0
m=audio 61048 RTP/AVP 0 8 9 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=candidate:1 1 UDP 659136 10.211.55.2 61048 typ host
a=candidate:1 2 UDP 659134 10.211.55.2 61049 typ host

And the same one for a sRTP stream

<--- SIP read from TLS:10.211.55.2:55084 --->
INVITE sip:[email protected];transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.211.55.2:32989;branch=z9hG4bK-d8754z-7a550347b4d31e7f-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:32989;transport=TLS>
To: <sip:[email protected]>
From: <sip:[email protected]>;tag=1f431703
Call-ID: NmYyNDFjNTc0MTNkNTcyMjg3OGEwZDEyNmY0OGYwZTA.
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
User-Agent: Bria 3.0 release 3.0 stamp 56426
Authorization: Digest username="100",realm="asterisk",nonce="150b64c6",uri="sip:[email protected];transport=tls",response="00eb91399903c91fb261e8bed251a088",algorithm=MD5
Content-Length: 521

v=0
o=- 1275670566379551 1275670566379551 IN IP4 10.211.55.2
s=
c=IN IP4 10.211.55.2
t=0 0
m=audio 56014 RTP/SAVP 0 8 9 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:qYhDNlPWGIjj7OyEVY1bz/C2zrrGUdbEvq/eP0X/
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:qYhDNlPWGIjj7OyEVY1bz/C2zrrGUdbEvq/eP0X/
a=sendrecv
a=candidate:1 1 UDP 659136 10.211.55.2 56014 typ host
a=candidate:1 2 UDP 659134 10.211.55.2 56015 typ host

That is what means we have a secure stream

m=audio 56014 RTP/SAVP 0 8 9 18 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:qYhDNlPWGIjj7OyEVY1bz/C2zrrGUdbEvq/eP0X/
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:qYhDNlPWGIjj7OyEVY1bz/C2zrrGUdbEvq/eP0X/

The audio changed from RTP/AVP to RTP/SAVP and we have the crypto lines.

Now let’s use Wireshark to sniff the network and get our voice packets … Is is encrypted? Check it out by yourself!

[audio:http://remi.wpengine.com/wp-content/uploads/2010/06/sRTP-Stream.mp3|titles=Encrypted sRTP Stream]

11 Replies to "Asterisk sRTP installation and configuration"

  • Florian
    July 29, 2010 (20:43)
    Reply

    Hi, interesting article. Any ideas how to make srtp work with asterisk 1.8 ? Looks like this is not the same syntax in the dial-plan.
    Cheers

    • rephilip
      July 31, 2010 (09:48)
      Reply

      Hi Florian, I didn't have the time to give a try to 1.8 I'll do it next week and keep you posted.

      • Remi Philippe
        January 12, 2011 (14:02)
        Reply

        Hey there,
        I finally tried Asterisk 1.8 and redid the installation I'll post an article on how I made it work but most of it is the same as in this article.

        I'll post the update this week!

        Rémi

        • Hiago Souza
          October 25, 2013 (12:28)
          Reply

          Hello Remi, you could send me an email so I can take some questions from asterisk?

  • Markus
    August 9, 2010 (16:40)
    Reply

    Hey Remi, nice article. i hope you can help me. i have 1.6 version of asterisk. i have to configure asterisk with srtp-support. but the svn checkout http://svn.asterisk.org/svn/asterisk/team/group/s… doesnt exist. srtp is now in trunk. are there any posibilitys to do this with 1.6 or is ti better to upgrade (1.8)?
    thanks a lot
    best regards,
    markus

  • Crystal
    August 24, 2010 (15:38)
    Reply

    Hi, Thanks to your nice article, I can configure TLS successfully. Now I am trying to make SRTP work, but when I am trying to use svn command to checkout the repository, I find srtp_reboot directory is missing in http://svn.asterisk.org/svn/asterisk/team/group directory. It seems srtp_reboot is deleted in the latest revision…
    Can you help me with this? Thanks a lot!

  • Remi Philippe | Asterisk sRTP with 1.8
    January 16, 2011 (13:18)
    Reply

    […] a previous article I explained how to configure Asterisk with sRTP, but using a development version at the time. Since […]

  • pip
    February 7, 2011 (13:23)
    Reply

    I'm trying to use Wireshark to sniff the network and to check out if the packets are encrypted but I don't know how to find if the payload is encrypted.
    I was trying to do so with this:

    "One way to verify this is by making a call between two MOC 2007 clients and one end presses a number (say 1) in the MOC UI. Using RFC 4733 you can know the RTP payload format (i.e., DTMF) for the digit you have pressed. If the data is encrypted via SRTP then you will see that the RTP payload for DTMF (RTP payload in RTP header is generally 101) is very different from what you should be expecting from RFC 4733 . This is becasue the payload is encrypted. Please note that MOC does not playback the DTMF (so do not expect this to be played back to the receiver)."

    and the difference that I found is that I've got lots of rtp events with "ID event Unknown".

    Thanks for everything and congratulations for your so useful blog!!


Got something to say?

Some html is OK