[asterisk-bugs] [JIRA] (ASTERISK-20905) Asterisk 200OK offers RTP/AVP for video when it should be RTP/SAVP due to SRTP (encryption=yes) being enabled

Jonathan Rose (JIRA) noreply at issues.asterisk.org
Tue Apr 2 12:43:01 CDT 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=204865#comment-204865 ] 

Jonathan Rose commented on ASTERISK-20905:
------------------------------------------

Alright, so I've been poking around at this for most of the day and I've hit on a couple of amusing points in the process.

First, I've reproduced the problem in the description against 11.1.1 without TLS involved in the call. The requester starts the call with SRTP but not initially sending video, Asterisk responds with a 200 OK with RTP/SAVP for the audio, but RTP/AVP for the video. I've confirmed that the patch I wrote fixed that problem. Applying the patch made the OK Asterisk replied with used RTP/SAVP for the video as well.

Around the time I was writing these patches though, SVN 11 had developed a more general problem against RTP in general. This problem would cause numerous standard SRTP transmissions in Asterisk to not be unprotected and would result in noisy audio and just plain non-working video. This was fixed however by a patch written by Kinsey fairly recently (r384049). I don't know if that has anything to do with the problems seen in here, and I'm guessing not since I've been unable to reproduce the 'Can't provide secure video requested in SDP offer' message that Kristopher Lalletti mentioned in his last post. It does seem like a possible confounder though. Video calls that I have made after my original patch applied strictly against 11.1.1 (and not against SVN at that time since it had the white noise issue mentioned above) appear to work. Against the SVN revision where I applied this though, they don't work since the white noise problem fixed by r384049.

All of these observations though really just bring me back full circle. I don't know some critical details about the problem and I need both of you to clarify some very specific points for me.

1. Did video work with the unpatched 11.1.1 in spite of the offer for RTP/AVP in the OK? I imagine this is going to depend on the device. Jitsi in particular worked alright. According to its stream information, the video media was also being relayed as SRTP, but this might simply have been a consequence of how echo works (it would read encyrpted frames and see garbage probably and then retransmit the garbage which would appear perfectly normal on the device that is already set up to decrypt it).

2. When you tested the patch, did you check 11 out from SVN or did you apply this particular patch to 11.1.1?

@Kristopher:
   As requested back in early March, I would really appreciate detailed logs for when you get the "chan_sip.c: Can't provide secure video requested in SDP offer" log message. This is somewhat troubling to me since I haven't been able to reproduce that part of the problem using the data provided by the first log. If you don't want to do the PCAP for some reason, I might be able to figure out where this problem is coming from without that.
                
> Asterisk 200OK offers RTP/AVP for video when it should be RTP/SAVP due to SRTP (encryption=yes) being enabled
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20905
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20905
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/SRTP
>    Affects Versions: 11.1.1
>         Environment: Linux 2.6.32-279.19.1.el6.i686 #1 SMP Wed Dec 19 04:30:58 UTC 2012 i686 i686 i386 GNU/Linux
>            Reporter: Kristopher Lalletti
>            Assignee: Kristopher Lalletti
>            Severity: Minor
>         Attachments: log.txt, rtp_crypto_video_text.diff
>
>
> In a context where the SIP endpoint enforces the use of SRTP via SIP TLS, we noticed that the requested video was RTP/SAVP, when Asterisk returned a video feed being RTP/AVP.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list