Why you can’t get SRTP encryption to work between Asterisk and your VoIP adapter or phone

Some recent versions of Asterisk (Asterisk 11 in particular) have built-in SRTP support of sorts. As Wikipedia notes,

The Secure Real-time Transport Protocol (or SRTP) defines a profile of RTP (Real-time Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. It was developed by a small team of IP protocol and cryptographic experts from Cisco and Ericsson including David Oran, David McGrew, Mark Baugher, Mats Naslund, Elisabetta Carrara, James Black, Karl Norman, and Rolf Blom. It was first published by the IETF in March 2004 as RFC 3711.

In simple terms, SRTP encrypts the audio of your VoIP calls, making it much more difficult for anyone with a packet sniffer to listen in.

Let’s say you have an Android-based tablet and you are running CSipSimple. If you have configured it as an extension off your Asterisk 11 server, and you turn SRTP on in the security settings, you will likely find that outgoing calls work fine but incoming calls do not.  The reason is that you need to add one line to the extension’s configuration settings in Asterisk:

encryption=yes

If you are using FreePBX then it’s only a bit more complicated.  You’d need to add two lines to the /etc/asterisk/sip_custom_post.conf file:

[####](+)
encryption=yes

Replacing #### with the extension number. Once you have done this and reloaded Asterisk, it will only communicate with the endpoint using SRTP.

BUT there is one problem here.  With some other VoIP devices and softphones, once your have enabled SRTP, any attempt to place an outgoing call will not work.  And, if you watch the Asterisk CLI, you may see lines similar to this:

[2013-12-19 08:18:57] NOTICE[2949][C-000005e9]: sip/sdp_crypto.c:255 sdp_crypto_process: Crypto life time unsupported: crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6aV+PFYMnVJVUZuxug9EM5yefPnfOrNhHcKLSABE|2^20
[2013-12-19 08:18:57] NOTICE[2949][C-000005e9]: sip/sdp_crypto.c:265 sdp_crypto_process: SRTP crypto offer not acceptable
[2013-12-19 08:18:57] WARNING[2949][C-000005e9]: chan_sip.c:10454 process_sdp: Rejecting secure audio stream without encryption details: audio 17100 RTP/SAVP 0 8 18 104 101

The problem is that in Asterisk, “any SRTP offers that specify the optional lifetime key component will fail”, as is detailed in this submitted patch to Asterisk:

(ASTERISK-17899) [patch] Adds a ‘ignorecryptolifetime’ (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional ‘lifetime’

If if the device or softphone had a setting to disable sending the lifetime parameter, it probably would work. If users would go through the trouble of applying this patch to Asterisk, it would probably work, but many users either don’t know how to do that, or they are running a pre-built distribution and don’t want to or cannot tamper with it (also, any upgrades to Asterisk thereafter would require re-application of the patch). If Digium would apply this patch to Asterisk and push it out in upgrade releases, it probably would work. But for whatever reason, though this patch was first posted back in May of 2011, Digium has not seen fit to roll it into Asterisk.

So, this may very well be the reason, or at least one of the reasons, why you can’t get SRTP encryption to work between Asterisk and your VoIP adapter or phone! Basically, your VoIP device or softphone and Asterisk just don’t want to play nice with each other.

We’ve heard that some other varieties of PBX software, such as FreeSWITCH, might not have this issue, but since we don’t have a working FreeSWITCH installation at the moment we cannot comment on that.

1 thought on “Why you can’t get SRTP encryption to work between Asterisk and your VoIP adapter or phone

  1. I have one warning in Firefox:
    WARNING[16579][C-0000031c]: chan_sip.c:10512 process_sdp: Rejecting secure audio stream without encryption details: audio 58927 UDP/TLS/RTP/SAVPF 109 0 8 101
    and message in the browser: Not acceptable here.
    I can call via Chrome, but can’t via Firefox

    How can we solve this warning?
    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Recent Comments

Archives

Categories

Meta

GiottoPress by Enrique Chavez