[asterisk-bugs] [JIRA] (ASTERISK-27800) One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Tue Apr 17 13:10:50 CDT 2018


    [ https://issues.asterisk.org/jira/browse/ASTERISK-27800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=243056#comment-243056 ] 

Kevin Harwell commented on ASTERISK-27800:
------------------------------------------

[~artur.pires], thanks for checking that and confirming that is the problem.

Do note that that commit does not fix the issue, but removes the code that introduced the problem (plus a bunch of other code and patches if your Asterisk branch is checked out to that). So if you run off that older code you will be missing quite a number of recent patches. Your other option is to use chan_pjsip as the problem did not seem to present itself using that channel driver.

> One way audio when calling from Asterisk(sip trunk) to another number where both are connected to a SBC using TLS+SRTP
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-27800
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27800
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: .Release/Targets
>    Affects Versions: 15.3.0
>            Reporter: Artur Pires
>            Assignee: Artur Pires
>         Attachments: asterisk_logs.txt, asterisk_tcpdump.pcap, topology.jpg
>
>
> Hi,
> I'm doing some tests with Asterisk 15.3.0(Ip=10.9.0.94) connected to a SBC[which has two parties: SIP message(Ip=192.168.12.18 using TLS) and Media Message(Ip=192.168.12.192 using SRTP)] 
> For sip message works fine using TLS over TCP with the key generated on Asterisk and uploaded it to SBC(sip message). 
> So when I call from my extension(100 - Ip=10.8.15.45) connected to Asterisk to a number(4509615003) connected to SBC we have one way audio. 
> Basically SRTP connects to SBC media(Ip=192.168.12.192). Please see the attached picture
> It looks like Asterisk is using the wrong key to encrypt traffic when it's offered the SDP.
> By replaying a packet captured on SBC(media message - SRTP) and configuring a connection, it was discovered that using the key offered to Asterisk to decrypt the traffic actually worked. 
> According to RFC 4568, the key provided in the SDP is used to encrypt traffic generated by the provider of the SDP. 
> Hence, Asterisk device should use the key provides in the answer SDP to encrypt traffic but our tests show it's using the key generated by SBC(SIP message)
> Please let me know if you need further details about this issue,
> Remarks: 
> 1) Part of RFC 4568 which explains what I noticed(section 5.1.1) :
>    The crypto-suite always applies to media in the directions supported
>    by the media stream (e.g., send and receive).  The key(s), however,
>    apply to data packets (e.g., SRTP and SRTCP packets) that will be
>    sent by the same party that generated the SDP.  That is, each
>    endpoint determines its own transmission keys and sends those keys,
>    in SDP, to the other endpoint. 
>    The inline parameter conveys the SRTP master key used by an endpoint
>    to encrypt the SRTP and SRTCP streams transmitted by that endpoint.
>    The same key is used by the recipient to decrypt those streams.
>    However, the receiver MUST NOT use that same key for the SRTP or
>    SRTCP packets that it sends to the session because the default SRTP
>    cipher and mode is insecure when the master key is reused across
>    distinct SRTP streams.
> 2) Logs are attached
> Thanks,
> Artur



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list