[asterisk-bugs] [JIRA] (ASTERISK-27800) One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Tue Apr 17 13:10:50 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=243056#comment-243056 ]
Kevin Harwell commented on ASTERISK-27800:
------------------------------------------
[~artur.pires], thanks for checking that and confirming that is the problem.
Do note that that commit does not fix the issue, but removes the code that introduced the problem (plus a bunch of other code and patches if your Asterisk branch is checked out to that). So if you run off that older code you will be missing quite a number of recent patches. Your other option is to use chan_pjsip as the problem did not seem to present itself using that channel driver.
> One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-27800
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27800
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: .Release/Targets
> Affects Versions: 15.3.0
> Reporter: Artur Pires
> Assignee: Artur Pires
> Attachments: asterisk_logs.txt, asterisk_tcpdump.pcap, topology.jpg
>
>
> Hi,
> I'm doing some tests with Asterisk 15.3.0(Ip=10.9.0.94) connected to a SBC[which has two parties: SIP message(Ip=192.168.12.18 using TLS) and Media Message(Ip=192.168.12.192 using SRTP)]
> For sip message works fine using TLS over TCP with the key generated on Asterisk and uploaded it to SBC(sip message).
> So when I call from my extension(100 - Ip=10.8.15.45) connected to Asterisk to a number(4509615003) connected to SBC we have one way audio.
> Basically SRTP connects to SBC media(Ip=192.168.12.192). Please see the attached picture
> It looks like Asterisk is using the wrong key to encrypt traffic when it's offered the SDP.
> By replaying a packet captured on SBC(media message - SRTP) and configuring a connection, it was discovered that using the key offered to Asterisk to decrypt the traffic actually worked.
> According to RFC 4568, the key provided in the SDP is used to encrypt traffic generated by the provider of the SDP.
> Hence, Asterisk device should use the key provides in the answer SDP to encrypt traffic but our tests show it's using the key generated by SBC(SIP message)
> Please let me know if you need further details about this issue,
> Remarks:
> 1) Part of RFC 4568 which explains what I noticed(section 5.1.1) :
> The crypto-suite always applies to media in the directions supported
> by the media stream (e.g., send and receive). The key(s), however,
> apply to data packets (e.g., SRTP and SRTCP packets) that will be
> sent by the same party that generated the SDP. That is, each
> endpoint determines its own transmission keys and sends those keys,
> in SDP, to the other endpoint.
> The inline parameter conveys the SRTP master key used by an endpoint
> to encrypt the SRTP and SRTCP streams transmitted by that endpoint.
> The same key is used by the recipient to decrypt those streams.
> However, the receiver MUST NOT use that same key for the SRTP or
> SRTCP packets that it sends to the session because the default SRTP
> cipher and mode is insecure when the master key is reused across
> distinct SRTP streams.
> 2) Logs are attached
> Thanks,
> Artur
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list