[asterisk-dev] DTLS setting impacts encryption setting
Olle E. Johansson
oej at edvina.net
Wed Jan 29 02:17:23 CST 2014
On 28 Jan 2014, at 21:25, Daniel Pocock <daniel at pocock.com.au> wrote:
>
> This was on -users, but it appears all the DTLS discussion is on -dev so
> I'm reposting it...
>
>
> If I understand correctly, setting
>
> encryption=no
>
> means that Asterisk will make outgoing calls without encryption, but
> will be happy to accept incoming calls regardless of whether the caller
> wants encryption or not (that is how it has been working for me anyway)
>
> If encryption=yes, then Asterisk not only uses encryption for the
> outgoing calls but it will refuse to accept incoming calls unless they
> use encryption too.
>
> If I have
>
> encryption=no
> dtlsenable=yes
>
> the DTLS support works but Asterisk will no longer accept incoming calls
> using regular RTP/AVP. These messages appear in the console and the
> call is rejected with code 488:
>
> [Jan 28 11:08:42] WARNING[24673][C-00000009]: chan_sip.c:10496
> process_sdp: Processed DTLS [FALSE]
> [Jan 28 11:08:42] WARNING[24673][C-00000009]: chan_sip.c:10529
> process_sdp: We are requesting SRTP for audio, but they responded
> without it!
>
> I realise not everybody would set encryption=no in this situation, I'm
> simply trying to make it work for all possible callers to the
> SIP5060.net test numbers at http://www.sip5060.net/test-calls
>
> Is this a bug or is there some reason that DTLS-SRTP can't allow the
> older behavior to continue?
>
That seems to me like a bug. Please file a bug report in the issue tracker.
On the same note, I think in the light of the security discussions going on related
to pervasive monitoring we need to rethink a lot of the security concepts.
Previously I would say that we should not set up TLS connections without
being able to verify the certificate. That's no longer the way I think - but
we need to clearly separate verified sessions where we can trust the identity
of the other part with sessions where we just encrypt without having a verified
identity.
This will propably affect dialplans and configurations in new ways. We need to encourage
more encryption of media and signalling and separate that issue from authentication.
Now - my favorite question - what's a secure call?
/O
More information about the asterisk-dev
mailing list