Asterisk sRTP with 1.8

Posted on January 16, 2011

In a previous article I explained how to configure Asterisk  sRTP support, but using a development version at the time. Since Asterisk 1.8 there is a native support for sRTP, so no need to have some development version.

Moving from development to 1.8 a few things changed in the configuration (not much), here is a quick update

Step 1: Pre-Requisites

On the sRTP side we still need the libraries (which can be found here) otherwise you will see …

checking for mandatory modules:  CRYPTO MYSQLCLIENT SRTP OPENSSL... fail

configure: ***
configure: *** The SRTP installation appears to be missing or broken.
configure: *** Either correct the installation, or run configure
configure: *** including --without-srtp.

Refer to the sRTP on Asterisk article for how to set this up.

If you plan to include MySQL support on debian, don’t forget to install the libmysqlclient-dev

toera-g-sip1:/sw/src/asterisk-1.8.1.1# apt-get install libmysqlclient15-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  libmysqlclient15-dev
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Step 2: Configuring the binaries

First of all lets configure the binaries, here is the command I used

toera-g-sip1:/sw/src/asterisk-1.8.1.1# ./configure --prefix=/sw/asterisk-1.8.1.1 --with-crypto --with-ssl --with-mysqlclient --with-srtp

The options are self explanatory, –with-crypto, –with-ssl are for the TLS part, –with-srtp for the … sRTP part and finally –with mysqlclient is for the MySQL support (not required by sRTP or TLS, but used for CDR).

Once this is done, run make menuconfig to enable the TLS and sRTP modules (see the original article for details on that).

Step 3: Configuration part

Here are some changes, first the option in the sip.conf file is not anymore

srtpcapable=yes

but

encryption=yes

Second the dial plan part in the extensions.conf file is not

exten => 9999,1,Set(_SIP_SRTP_SDES=optional)

but

exten => 9999,1,Set(_SIP_SRTP_SDES=1)
exten => 9999,2,Set(_SIPSRTP=1)
exten => 9999,3,Set(_SIPSRTP_CRYPTO=enable)

And basically that’s the only changes there are compared to the development version. As usual you can check if it’s working through a sip set debug on :

<--- SIP read from TLS:85.xxx.xxx.xxx:55660 --->
INVITE sip:[email protected];transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.0.17:46679;branch=z9hG4bK-d8754z-a51806220748b135-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:55660;transport=TLS>
To: "01xxxxxxxx"<sip:[email protected]>
From: "Remi"<sip:[email protected]>;tag=bd9bb73d
Call-ID: ZTE0ZTdiODBhYTA0MDQ2ZjYwNDZlMTAyYTM0Y2ViZmQ.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: Bria 3 release 3.1 stamp 58312
Content-Length: 593

v=0
o=- 1295179812598219 1 IN IP4 192.168.0.17
s=Counterpath Bria 3.1
c=IN IP4 192.168.0.17
t=0 0
a=ice-ufrag:4de55c
a=ice-pwd:d96683ec023786e73ca78e87d0383765
m=audio 53080 RTP/SAVP 9 0 8 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2aHmG4LMIzu51D93lMPZpr5HCPuSgsmDpgM4siEz
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:2aHmG4LMIzu51D93lMPZpr5HCPuSgsmDpgM4siEz
a=sendrecv
a=candidate:1 1 UDP 659136 192.168.0.17 53080 typ host
a=candidate:1 2 UDP 659134 192.168.0.17 53081 typ host
<------------->

Here we are!

8 Replies to "Asterisk sRTP with 1.8"

  • Enjoooy
    January 20, 2011 (14:01)
    Reply

    Thanks for the information! It has been very useful for me!
    Have you tried this configuration with a softphone on linux? I've been looking for softphones available for linux with TLS and SRTP but I only found sflphone and I couldn't make the security setting.
    Again, thank you very much for the help with the Asterisk world.

  • John
    January 31, 2011 (18:37)
    Reply

    Hi Remi,

    Great article! I have a couple questions, if you have a moment to explain.

    Does your SIP provider need to support SRTP on some level, or is is strictly handled through the Asterisk environment?

    What if any other prerequisites(other than the ones listed above) need to exist in order to have SRTP function properly?

    Regards,
    John

    • Remi Philippe
      May 5, 2011 (12:10)
      Reply

      Hi John,
      >Does your SIP provider need to support SRTP on some level, or is is strictly handled through the Asterisk environment?
      It really depends where you want to handle the encryption. If the encryption is between the client and the Asterisk then you don't need any support from the ITSP. If you want to encrypt communications between your Asterisk & the ITSP then yes he needs to support it.

      >What if any other prerequisites(other than the ones listed above) need to exist in order to have SRTP function properly?
      To my knowledge I listed all the prerequisites, that's how I setup up in my environment "from scratch" and it's working great!

      Rémi

  • alex
    May 14, 2011 (12:14)
    Reply

    Hi Remi,

    Thanks for sharing your Asterisk/SRTP knowledge. I’ve seen in your previous article, that you can replay the encrypted conversation with Wireshark. I am trying to do the same, but it doesn’t detect the srtp stream. How did you do that ?

    Regards.

  • j.ela
    June 17, 2011 (12:24)
    Reply

    Hi Mr Remi

    first thank you a lot for this great article .
    please where exaclty i must added this lines
    1 exten => 9999,1,Set(_SIP_SRTP_SDES=1)

    2 exten => 9999,2,Set(_SIPSRTP=1)

    3 exten => 9999,3,Set(_SIPSRTP_CRYPTO=enable)
    thank u and have a great day

  • newbie
    October 25, 2012 (08:28)
    Reply

    hi i set as per you blog. But when i call from jitsi my asterisk server getting shutdown. any help

    TLS is working fine once please check http://stackoverflow.com/questions/13061369/confi

    i posted my question here

  • Raiden
    March 14, 2013 (18:45)
    Reply

    Hi Remi, could you recommend me some softphones able to work with Asterisk and SRTP protocol?I tried to use Blink and Jitsi but SRTP didn't work with these clients. Blink established SRTP connection but i heard only noise. Jitsi didn't establish SRTP connection and I got in Asterisk console this output: "WARNING[1491]: chan_sip.c:9588 process_sdp: Rejecting secure video stream without encryption details: video 5014 RTP/SAVP 104 99". I enabled SRTP on both clients and also on Asterisk – following your Article on this web site. Do you have any idea how to fix it?

  • angga
    September 19, 2013 (16:31)
    Reply

    i have a noise problem when calling with srtp what should i do master?

Got something to say?

Some html is OK