[asterisk-dev] pjsip asterisk 13.24: sips / srtp and Deutsche Telekom doesn't work because of missing mediasec parameters

Michael Maier m1278468 at mailbox.org
Mon Sep 2 12:03:08 CDT 2019


On 30.05.19 at 10:24 Michael Maier wrote:
> Hello!
> 
> I wrote some code, which adds basic media encryption support to be used with Deutsche Telekom. The attached patch is based on Asterisk 16.3
> and works for me :-) - not fully tested yet. If you want to use it, you have to enable media_encryption=sdes for the extension (and
> transport tls and tls1.2). Use at your own risk!
> 
> 
> The current patch lacks a basic mediasec option, which prevents adding the mediasec headers to each *initial* REGISTER or to each INVITE (if
> sdes is activated). As of today, I don't know how to solve this problem without too much changes.
> Anyway: It looks like the additional HEADERs seem not to disrupt other ISPs (tested with one other ISP). This option should be accessible in
> rtp, session and register environment. Maybe there is a possibility to exchange data between register, session and rtp environment. This way, it
> would be possible to dynamically set mediasec in session and rtp based on the result of the initial register. It would be necessary at the
> same time, to dynamically disable sdes encryption if activation of mediasec didn't succeed.
> 
> One more open point is the check for the 3 headers using the same name (Security-Server and Security-Verify). How can they be checked
> regarding order? Is there a function to get each value of the same header? Maybe based on an array index? This way it would be possible to
> create the Security-Verify headers dynamically based on the 494 or 401 response.
> 
> The UPDATE package (used as a watchdog circuit during a call each 15 minutes) seems not to be affected - I couldn't find any problem at this
> point.


Attached is a new version of the mediasec patch. The following items changed:

- No more differentiation between initial REGISTER and ReREGISTERS (because if server was restarted, the ReREGISTER
  could have been done w/o mediasec and subsequent calls have been broken because of missing SRTP support by provider).
- Added memorymanagement for the additional 494 requests.

The patch contains the complete code necessary for mediasec (tested with Deutsche Telekom) and asterisk 16.4.1 (should work too w/ 16.5.0).

This patch doesn't contain an additional sdp version fix, which is needed to reach some numbers in Germany via Deutsche Telekom - see
https://issues.asterisk.org/jira/secure/attachment/58493/sdp-version-v2.patch
(https://issues.asterisk.org/jira/browse/ASTERISK-28452)


Regards
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mediasec23.patch
Type: text/x-patch
Size: 7542 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20190902/fd3d2086/attachment.bin>


More information about the asterisk-dev mailing list