Asterisk sRTP with 1.8
Posted on January 16, 2011
In a previous article I explained how to configure Asterisk sRTP support, but using a development version at the time. Since Asterisk 1.8 there is a native support for sRTP, so no need to have some development version.
Moving from development to 1.8 a few things changed in the configuration (not much), here is a quick update
Step 1: Pre-Requisites
On the sRTP side we still need the libraries (which can be found here) otherwise you will see …
checking for mandatory modules: CRYPTO MYSQLCLIENT SRTP OPENSSL... fail configure: *** configure: *** The SRTP installation appears to be missing or broken. configure: *** Either correct the installation, or run configure configure: *** including --without-srtp.
Refer to the sRTP on Asterisk article for how to set this up.
If you plan to include MySQL support on debian, don’t forget to install the libmysqlclient-dev
toera-g-sip1:/sw/src/asterisk-1.8.1.1# apt-get install libmysqlclient15-dev Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libmysqlclient15-dev 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Step 2: Configuring the binaries
First of all lets configure the binaries, here is the command I used
toera-g-sip1:/sw/src/asterisk-1.8.1.1# ./configure --prefix=/sw/asterisk-1.8.1.1 --with-crypto --with-ssl --with-mysqlclient --with-srtp
The options are self explanatory, –with-crypto, –with-ssl are for the TLS part, –with-srtp for the … sRTP part and finally –with mysqlclient is for the MySQL support (not required by sRTP or TLS, but used for CDR).
Once this is done, run make menuconfig
to enable the TLS and sRTP modules (see the original article for details on that).
Step 3: Configuration part
Here are some changes, first the option in the sip.conf file is not anymore
srtpcapable=yes
but
encryption=yes
Second the dial plan part in the extensions.conf file is not
exten => 9999,1,Set(_SIP_SRTP_SDES=optional)
but
exten => 9999,1,Set(_SIP_SRTP_SDES=1) exten => 9999,2,Set(_SIPSRTP=1) exten => 9999,3,Set(_SIPSRTP_CRYPTO=enable)
And basically that’s the only changes there are compared to the development version. As usual you can check if it’s working through a sip set debug on
:
<--- SIP read from TLS:85.xxx.xxx.xxx:55660 ---> INVITE sip:[email protected];transport=tls SIP/2.0 Via: SIP/2.0/TLS 192.168.0.17:46679;branch=z9hG4bK-d8754z-a51806220748b135-1---d8754z-;rport Max-Forwards: 70 Contact: <sip:[email protected]:55660;transport=TLS> To: "01xxxxxxxx"<sip:[email protected]> From: "Remi"<sip:[email protected]>;tag=bd9bb73d Call-ID: ZTE0ZTdiODBhYTA0MDQ2ZjYwNDZlMTAyYTM0Y2ViZmQ. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: Bria 3 release 3.1 stamp 58312 Content-Length: 593 v=0 o=- 1295179812598219 1 IN IP4 192.168.0.17 s=Counterpath Bria 3.1 c=IN IP4 192.168.0.17 t=0 0 a=ice-ufrag:4de55c a=ice-pwd:d96683ec023786e73ca78e87d0383765 m=audio 53080 RTP/SAVP 9 0 8 18 101 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=yes a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:2aHmG4LMIzu51D93lMPZpr5HCPuSgsmDpgM4siEz a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:2aHmG4LMIzu51D93lMPZpr5HCPuSgsmDpgM4siEz a=sendrecv a=candidate:1 1 UDP 659136 192.168.0.17 53080 typ host a=candidate:1 2 UDP 659134 192.168.0.17 53081 typ host <------------->
Here we are!
Enjoooy
January 20, 2011 (14:01)
Thanks for the information! It has been very useful for me!
Have you tried this configuration with a softphone on linux? I've been looking for softphones available for linux with TLS and SRTP but I only found sflphone and I couldn't make the security setting.
Again, thank you very much for the help with the Asterisk world.
John
January 31, 2011 (18:37)
Hi Remi,
Great article! I have a couple questions, if you have a moment to explain.
Does your SIP provider need to support SRTP on some level, or is is strictly handled through the Asterisk environment?
What if any other prerequisites(other than the ones listed above) need to exist in order to have SRTP function properly?
Regards,
John
Remi Philippe
May 5, 2011 (12:10)
Hi John,
>Does your SIP provider need to support SRTP on some level, or is is strictly handled through the Asterisk environment?
It really depends where you want to handle the encryption. If the encryption is between the client and the Asterisk then you don't need any support from the ITSP. If you want to encrypt communications between your Asterisk & the ITSP then yes he needs to support it.
>What if any other prerequisites(other than the ones listed above) need to exist in order to have SRTP function properly?
To my knowledge I listed all the prerequisites, that's how I setup up in my environment "from scratch" and it's working great!
Rémi
alex
May 14, 2011 (12:14)
Hi Remi,
Thanks for sharing your Asterisk/SRTP knowledge. I’ve seen in your previous article, that you can replay the encrypted conversation with Wireshark. I am trying to do the same, but it doesn’t detect the srtp stream. How did you do that ?
Regards.
j.ela
June 17, 2011 (12:24)
Hi Mr Remi
first thank you a lot for this great article .
please where exaclty i must added this lines
1 exten => 9999,1,Set(_SIP_SRTP_SDES=1)
2 exten => 9999,2,Set(_SIPSRTP=1)
3 exten => 9999,3,Set(_SIPSRTP_CRYPTO=enable)
thank u and have a great day
newbie
October 25, 2012 (08:28)
hi i set as per you blog. But when i call from jitsi my asterisk server getting shutdown. any help
TLS is working fine once please check http://stackoverflow.com/questions/13061369/confi…
i posted my question here
Raiden
March 14, 2013 (18:45)
Hi Remi, could you recommend me some softphones able to work with Asterisk and SRTP protocol?I tried to use Blink and Jitsi but SRTP didn't work with these clients. Blink established SRTP connection but i heard only noise. Jitsi didn't establish SRTP connection and I got in Asterisk console this output: "WARNING[1491]: chan_sip.c:9588 process_sdp: Rejecting secure video stream without encryption details: video 5014 RTP/SAVP 104 99". I enabled SRTP on both clients and also on Asterisk – following your Article on this web site. Do you have any idea how to fix it?
angga
September 19, 2013 (16:31)
i have a noise problem when calling with srtp what should i do master?