[asterisk-bugs] [JIRA] (ASTERISK-17899) [patch] Adds a 'ignorecryptolifetime' (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional 'lifetime'

Olle Johansson (JIRA) noreply at issues.asterisk.org
Thu Sep 5 03:43:03 CDT 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-17899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209932#comment-209932 ] 

Olle Johansson commented on ASTERISK-17899:
-------------------------------------------

Ok, I have done plenty of research and talked with friends in the IETF. Here's the outcome: The crypto key attributes are declarative, and not part of a negotiation. This means that if the other part sends us a lifetime and/or a MKI index we need to follow that when sending to them. 
We do NOT have to send the attributes ourselves and the defaults will apply.

Just ignoring it is not a good option, hanging up i very bad. I beliveve we have packet counters in the RTP stack so that we can honour the lifetime if needed. The quick-and-dirty fix is just to accept anything above a certain treshold and hope that the other side will re-invite before that happens and give us a new key.

I would consider this code a bug in 1.8 that we need to fix in all maintained versions of Asterisk.
                
> [patch] Adds a 'ignorecryptolifetime' (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional 'lifetime'
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-17899
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-17899
>             Project: Asterisk
>          Issue Type: New Feature
>          Components: Channels/chan_sip/NewFeature
>            Reporter: Dwayne Hubbard
>         Attachments: dw-ignore-crypto-lifetime-1.8.4.patch, dw-ignore-crypto-lifetime-trunk-r320171.patch
>
>
> This functionality is disabled by default, but when enabled it will tell Asterisk to  ignore the crypto lifetime key component if one is specified.  Using this option I was able to successfully make TLS/SRTP calls to the Sangoma Express Gateway.  This patch would not be necessary if the Sangoma Express Gateway provided an option to disable the lifetime specification; but it appears that it does not.
> Without this patch, any SRTP offers that specify the optional lifetime key component will fail.
> This patch was also tested by Ryan Mayer (mantis user: 'hidden').  Thanks Ryan!
> ****** ADDITIONAL INFORMATION ******
> Here is a sample sip.conf entry:
> [guyute]
> host=5.6.7.8
> transport=tls
> encryption=yes
> ignorecryptolifetime=yes
> port=5061
> type=peer
> disallow=all
> allow=ulaw
> dtmfmode=rfc2833
> reinvite=no
> canreinvite=no
> context=default

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list