[asterisk-dev] pjsip asterisk 13.24: sips / srtp and Deutsche Telekom doesn't work because of missing mediasec parameters

Andre Valentin avalentin at marcant.net
Mon Sep 2 16:25:34 CDT 2019 

Hello Michael,

i just tested your patch with my tcom setup. I noticed that it works in most cases.
On case that leads to a fail is a reinvite because of codec or connect line information change. Take a look:

Calls starts:

INVITE sip:0191011 at tel.t-online.de SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj4a53b552-3d39-4ade-a237-d74fa3796ccd;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>
Contact: <sip:asterisk at 192.168.203.25:45061;transport=TLS>
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5805 INVITE
Route: <sip:tel.t-online.de:5061;lr>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 900
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Type: application/sdp
Content-Length:   397

v=0
o=- 1533927627 1533927627 IN IP4 192.168.203.25
s=Asterisk
c=IN IP4 192.168.203.25
t=0 0
m=audio 18592 RTP/SAVP 9 8 118 101
a=3ge2ae:requested
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:gDiOBggnpgMkoIGjO70QGjqOWVivyC/2PVWnpvuc
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:118 L16/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:70
a=sendrecv

SIP/2.0 407 Proxy Authentication Required 02035034C
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj4a53b552-3d39-4ade-a237-d74fa3796ccd;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_26ec170e041b473ae0da003e4b076bd6
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5805 INVITE
Content-Length: 0
Proxy-Authenticate: Digest nonce="3E0E0A0188866D5D00000000BEBAD149",realm="tel.t-online.de",algorithm=MD5,qop="auth",stale=true


<--- Transmitting SIP request (494 bytes) to TLS:217.0.21.3:5061 --->
ACK sip:0191011 at tel.t-online.de SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj4a53b552-3d39-4ade-a237-d74fa3796ccd;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_26ec170e041b473ae0da003e4b076bd6
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5805 ACK
Route: <sip:tel.t-online.de:5061;lr>
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Length:  0


<--- Transmitting SIP request (1565 bytes) to TLS:217.0.21.3:5061 --->
INVITE sip:0191011 at tel.t-online.de SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>
Contact: <sip:asterisk at 192.168.203.25:45061;transport=TLS>
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Route: <sip:tel.t-online.de:5061;lr>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 900
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Proxy-Authorization: Digest username="XXXXXXX at t-online.de", realm="tel.t-online.de", nonce="3E0E0A0188866D5D00000000BEBAD149", uri="sip:0191011 at tel.t-online.de",
response="05d8319847ebaf4dda81e1842f133b38", algorithm=MD5, cnonce="c094d37c-4c5c-4491-9abc-7c38943c6035", qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length:   397

v=0
o=- 1533927627 1533927627 IN IP4 192.168.203.25
s=Asterisk
c=IN IP4 192.168.203.25
t=0 0
m=audio 18592 RTP/SAVP 9 8 118 101
a=3ge2ae:requested
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:gDiOBggnpgMkoIGjO70QGjqOWVivyC/2PVWnpvuc
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:118 L16/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:70
a=sendrecv

  == SRTP unprotect failed on SSRC 1439213300 because of unknown 10
  == SRTP unprotect failed on SSRC 1903821878 because of unknown 10
<--- Received SIP response (370 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
To: <sip:0191011 at tel.t-online.de>
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Content-Length: 0


<--- Received SIP response (1073 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 183 Session Progress
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Contact: <sip:sgc_c at 217.0.21.3:5061;transport=tls>
Record-Route: <sip:217.0.21.3:5061;transport=tls;lr>
P-Early-Media: sendonly
Require: 100rel
RSeq: 2
Supported: timer
Content-Type: application/sdp
Content-Length: 307
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE

v=0
o=- 469219287 2037999404 IN IP4 217.0.21.3
s=Basic Session
c=IN IP4 217.0.2.164
t=0 0
m=audio 38772 RTP/SAVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:lpS7sjUmhtELeK4LC7OJM7fPKU001RkoIpebLVfc

    -- PJSIP/tcom_trunk-00000013 is making progress passing it to PJSIP/495XXXXXXX_3-00000012
<--- Transmitting SIP request (564 bytes) to TLS:217.0.21.3:5061 --->
PRACK sip:sgc_c at 217.0.21.3:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj5d012bf4-1979-4424-9279-0118ba1b36ac;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5807 PRACK
Route: <sip:217.0.21.3:5061;transport=tls;lr>
RAck: 2 5806 INVITE
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Length:  0


    -- PJSIP/tcom_trunk-00000013 is making progress passing it to PJSIP/495XXXXXXX_3-00000012
<--- Received SIP response (543 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj5d012bf4-1979-4424-9279-0118ba1b36ac;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5807 PRACK
Content-Length: 0
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE


<--- Received SIP response (1073 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 183 Session Progress
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Contact: <sip:sgc_c at 217.0.21.3:5061;transport=tls>
Record-Route: <sip:217.0.21.3:5061;transport=tls;lr>
P-Early-Media: sendonly
Require: 100rel
RSeq: 3
Supported: timer
Content-Type: application/sdp
Content-Length: 307
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE

v=0
o=- 469219287 2037999404 IN IP4 217.0.21.3
s=Basic Session
c=IN IP4 217.0.2.164
t=0 0
m=audio 38772 RTP/SAVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:lpS7sjUmhtELeK4LC7OJM7fPKU001RkoIpebLVfc

    -- PJSIP/tcom_trunk-00000013 is making progress passing it to PJSIP/495XXXXXXX_3-00000012
<--- Transmitting SIP request (564 bytes) to TLS:217.0.21.3:5061 --->
PRACK sip:sgc_c at 217.0.21.3:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj341c7e9b-e071-437e-b6d5-186ebe64e751;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5808 PRACK
Route: <sip:217.0.21.3:5061;transport=tls;lr>
RAck: 3 5806 INVITE
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Length:  0


    -- PJSIP/tcom_trunk-00000013 is making progress passing it to PJSIP/495XXXXXXX_3-00000012
<--- Received SIP response (568 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj341c7e9b-e071-437e-b6d5-186ebe64e751;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5808 PRACK
P-Early-Media: sendonly
Content-Length: 0
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE


<--- Received SIP response (1064 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Contact: <sip:sgc_c at 217.0.21.3:5061;transport=tls>
Record-Route: <sip:217.0.21.3:5061;transport=tls;lr>
P-Early-Media: sendonly
Require: 100rel
RSeq: 4
Supported: timer
Content-Type: application/sdp
Content-Length: 307
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE

v=0
o=- 469219287 2037999404 IN IP4 217.0.21.3
s=Basic Session
c=IN IP4 217.0.2.164
t=0 0
m=audio 38772 RTP/SAVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:lpS7sjUmhtELeK4LC7OJM7fPKU001RkoIpebLVfc

<--- Transmitting SIP request (564 bytes) to TLS:217.0.21.3:5061 --->
PRACK sip:sgc_c at 217.0.21.3:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj0f7feb26-420b-4092-b601-3b6309a69b1a;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5809 PRACK
Route: <sip:217.0.21.3:5061;transport=tls;lr>
RAck: 4 5806 INVITE
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Length:  0


    -- PJSIP/tcom_trunk-00000013 is ringing
    -- PJSIP/tcom_trunk-00000013 is ringing
<--- Received SIP response (568 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0f7feb26-420b-4092-b601-3b6309a69b1a;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5809 PRACK
P-Early-Media: sendonly
Content-Length: 0
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE


<--- Received SIP response (1505 bytes) from TLS:217.0.21.3:5061 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.203.25:45061;received=217.231.62.116;rport=47041;branch=z9hG4bKPj0279a57e-ae56-43c0-ace1-80354e1970fb;alias
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 INVITE
Contact: <sip:sgc_c at 217.0.21.3:5061;transport=tls>;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"
Record-Route: <sip:217.0.21.3:5061;transport=tls;lr>
Session-Expires: 1800;refresher=uas
Supported: timer
Content-Type: application/sdp
Content-Length: 307
Session-ID: df5b736e4f5dc00ac50427c7f308f250
Authentication-Info: qop=auth,rspauth="ed2abb6c59fb682af89363337c0b06c7",cnonce="c094d37c-4c5c-4491-9abc-7c38943c6035",nc=00000001
Allow: REGISTER, REFER, NOTIFY, SUBSCRIBE, PRACK, UPDATE, PUBLISH, INFO, INVITE, ACK, OPTIONS, CANCEL, BYE
Accept: application/sdp
Accept: application/vnd.etsi.sci+xml
Accept: application/vnd.etsi.pstn+xml
Accept: multipart/mixed
Accept: application/vnd.telekom.service_indication+xml
Accept: application/vnd.etsi.cug+xml

v=0
o=- 469219287 2037999404 IN IP4 217.0.21.3
s=Basic Session
c=IN IP4 217.0.2.164
t=0 0
m=audio 38772 RTP/SAVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:lpS7sjUmhtELeK4LC7OJM7fPKU001RkoIpebLVfc

<--- Transmitting SIP request (539 bytes) to TLS:217.0.21.3:5061 --->
ACK sip:sgc_c at 217.0.21.3:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj8512d20f-14b4-4d55-8b18-83ee501e4276;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5806 ACK
Route: <sip:217.0.21.3:5061;transport=tls;lr>
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Length:  0


    -- PJSIP/tcom_trunk-00000013 answered PJSIP/495XXXXXXX_3-00000012
    -- Executing [s at dialbridge_redirect:1] Goto("PJSIP/495XXXXXXX_3-00000012", "dialbridge,s,1") in new stack
    -- Goto (dialbridge,s,1)
    -- Executing [s at dialbridge_redirect:2] Goto("PJSIP/tcom_trunk-00000013", "dialbridge,s,1") in new stack
    -- Goto (dialbridge,s,1)
    -- Executing [s at dialbridge:1] Log("PJSIP/tcom_trunk-00000013", "VERBOSE,Enforce trunk codec to phone, trunk side")
Enforce trunk codec to phone, trunk side
    -- Executing [s at dialbridge:1] Log("PJSIP/tcom_trunk-00000013", "VERBOSE,Negotiated codec: alaw, already set. No change.")
    -- Executing [s at dialbridge:1] Log("PJSIP/495XXXXXXX_3-00000012", "VERBOSE,Enforce trunk codec to phone, endpoint side")
Enforce trunk codec to phone, endpoint side
    -- Executing [s at dialbridge:1] Log("PJSIP/495XXXXXXX_3-00000012", "VERBOSE,Negotiated codec: alaw, changing from: (g722)")
Negotiated codec: alaw, changing from: (g722)
Negotiated codec: alaw, already set. No change.
    -- Executing [s at dialbridge:1] Wait("PJSIP/tcom_trunk-00000013", "5")
    -- Executing [s at dialbridge:1] Bridge("PJSIP/495XXXXXXX_3-00000012", "PJSIP/tcom_trunk-00000013,x")
  == Spawn extension (dialbridge, s, 1) exited non-zero on 'Surrogate/PJSIP/tcom_trunk-00000013'
    -- Channel PJSIP/tcom_trunk-00000013 joined 'simple_bridge' basic-bridge <0ad214b5-42eb-4397-83d5-806e22cd2220>
    -- Channel PJSIP/495XXXXXXX_3-00000012 joined 'simple_bridge' basic-bridge <0ad214b5-42eb-4397-83d5-806e22cd2220>
    -- PJSIP/495XXXXXXX_3-00000012 Internal Gosub(updateConnectedLine,s,1) start

Upper scripts perform Connected Line Updates and do codec handling. Both calls are in a bridge.

_----> See following request: the mediasec headers are missing:_

<--- Transmitting SIP request (1218 bytes) to TLS:217.0.21.3:5061 --->
INVITE sip:sgc_c at 217.0.21.3:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.203.25:45061;rport;branch=z9hG4bKPj793ffcd3-137d-4f3c-bef7-864bc7dd22e2;alias
From: "05XXXXXXX" <sip:05XXXXXXX at tel.t-online.de>;tag=c156777b-2c68-44cb-8fdd-af9265b464a8
To: <sip:0191011 at tel.t-online.de>;tag=h7g4Esbg_p65544t1567458941m19476c211164834s1_2036411039-303219550
Contact: <sip:asterisk at 192.168.203.25:45061;transport=TLS>
Call-ID: ae53709d-7c92-416f-865e-a922d45b52e4
CSeq: 5810 INVITE
Route: <sip:217.0.21.3:5061;transport=tls;lr>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800;refresher=uas
Min-SE: 900
Max-Forwards: 70
User-Agent: Asterisk PBX 16.5.0
Content-Type: application/sdp
Content-Length:   370

v=0
o=- 1533927627 1533927628 IN IP4 192.168.203.25
s=Asterisk
c=IN IP4 192.168.203.25
t=0 0
m=audio 18592 RTP/SAVP 9 8 101
a=3ge2ae:requested
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:gDiOBggnpgMkoIGjO70QGjqOWVivyC/2PVWnpvuc
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv


Perhaps you can take a look! If you need testing, I can help!

Kind regards,

André

On 02.09.19 19:03, Michael Maier wrote:
> On 30.05.19 at 10:24 Michael Maier wrote:
>> Hello!
>>
>> I wrote some code, which adds basic media encryption support to be used with Deutsche Telekom. The attached patch is based on Asterisk 16.3
>> and works for me :-) - not fully tested yet. If you want to use it, you have to enable media_encryption=sdes for the extension (and
>> transport tls and tls1.2). Use at your own risk!
>>
>>
>> The current patch lacks a basic mediasec option, which prevents adding the mediasec headers to each *initial* REGISTER or to each INVITE (if
>> sdes is activated). As of today, I don't know how to solve this problem without too much changes.
>> Anyway: It looks like the additional HEADERs seem not to disrupt other ISPs (tested with one other ISP). This option should be accessible in
>> rtp, session and register environment. Maybe there is a possibility to exchange data between register, session and rtp environment. This way, it
>> would be possible to dynamically set mediasec in session and rtp based on the result of the initial register. It would be necessary at the
>> same time, to dynamically disable sdes encryption if activation of mediasec didn't succeed.
>>
>> One more open point is the check for the 3 headers using the same name (Security-Server and Security-Verify). How can they be checked
>> regarding order? Is there a function to get each value of the same header? Maybe based on an array index? This way it would be possible to
>> create the Security-Verify headers dynamically based on the 494 or 401 response.
>>
>> The UPDATE package (used as a watchdog circuit during a call each 15 minutes) seems not to be affected - I couldn't find any problem at this
>> point.
> 
> 
> Attached is a new version of the mediasec patch. The following items changed:
> 
> - No more differentiation between initial REGISTER and ReREGISTERS (because if server was restarted, the ReREGISTER
>   could have been done w/o mediasec and subsequent calls have been broken because of missing SRTP support by provider).
> - Added memorymanagement for the additional 494 requests.
> 
> The patch contains the complete code necessary for mediasec (tested with Deutsche Telekom) and asterisk 16.4.1 (should work too w/ 16.5.0).
> 
> This patch doesn't contain an additional sdp version fix, which is needed to reach some numbers in Germany via Deutsche Telekom - see
> https://issues.asterisk.org/jira/secure/attachment/58493/sdp-version-v2.patch
> (https://issues.asterisk.org/jira/browse/ASTERISK-28452)
> 
> 
> Regards
> Michael
> 
> 


-- 
Mit freundlichen Grüßen
André Valentin

Systemadministration - Projektkoordination


--
MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld
Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
URL: http://www.marcant.net <http://www.marcant.net/> | http://www.global-m2m.com <http://www.global-m2m.com/>

Internet * Netzwerk * Mobile Daten

Vorstand:
Thorsten Hojas (Vorsitzender)
Marc-Henrik Delker
Dr. Anja-Christina Padberg
Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238



___________________________________________________________
Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.

 

More information about the asterisk-dev mailing list