[jitsi-dev] Configuration for SRTP


#1

Hello sir

I need to place SIP calls to and receive SIP calls from other clients
registered with the same Asterisk box (v. 1.11), using TLS/SRTP encryption
(mandatory). I was making some tests with a Jitsi client and a Blink client
(some users like this softphone, while I prefer Jitsi) on a Windows 7
machine. When using two Blink clients everything works fine, but if I try
to connect a Jitsi client with a Blink client I cannot make it work.

The Jitsi client registers with the Asterisk server (it processes the
certificate without problems) but when I try to place a call to the Blink
client I get a “Call failed – Not acceptable here” error and the Asterisk
CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device setup
to use SRTP, but request was not!” on seing the asterisk cli it was showing
me "matched device setup to use srtp but request was not".

Similarly, If I try to place a call from the Blink client to Jitsi, the
client rings but the call is dropped as soon as I press the Answer button .

Maybe I am missing some configuration detail, since it seems that the Jitsi
client is expected to use SRTP while it doesn’t.

Any help would be greatly appreciated.


#2

Hi,

in the sip account configuration on the Security tab in advance
settings there is RTP/SAVP indication setting: off, mandatory and
optional. I think the optional setting is not working with asterisk,
at least this was the case the last time I was checking it, maybe
fixed in latest version. You need to be using mandatory.

Regards
damencho

···

On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com> wrote:

Hello sir

I need to place SIP calls to and receive SIP calls from other clients
registered with the same Asterisk box (v. 1.11), using TLS/SRTP encryption
(mandatory). I was making some tests with a Jitsi client and a Blink client
(some users like this softphone, while I prefer Jitsi) on a Windows 7
machine. When using two Blink clients everything works fine, but if I try to
connect a Jitsi client with a Blink client I cannot make it work.

The Jitsi client registers with the Asterisk server (it processes the
certificate without problems) but when I try to place a call to the Blink
client I get a “Call failed – Not acceptable here” error and the Asterisk
CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device setup
to use SRTP, but request was not!” on seing the asterisk cli it was showing
me "matched device setup to use srtp but request was not".

Similarly, If I try to place a call from the Blink client to Jitsi, the
client rings but the call is dropped as soon as I press the Answer button .

Maybe I am missing some configuration detail, since it seems that the Jitsi
client is expected to use SRTP while it doesn’t.

Any help would be greatly appreciated.

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Ok sir thanx for your reply,and i have a doubt what about zrtp signalling
over it,do i only need to enable sdes or dtls-srtp,please guide me.

···

On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

in the sip account configuration on the Security tab in advance
settings there is RTP/SAVP indication setting: off, mandatory and
optional. I think the optional setting is not working with asterisk,
at least this was the case the last time I was checking it, maybe
fixed in latest version. You need to be using mandatory.

Regards
damencho

On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com> wrote:
> Hello sir
>
> I need to place SIP calls to and receive SIP calls from other clients
> registered with the same Asterisk box (v. 1.11), using TLS/SRTP
encryption
> (mandatory). I was making some tests with a Jitsi client and a Blink
client
> (some users like this softphone, while I prefer Jitsi) on a Windows 7
> machine. When using two Blink clients everything works fine, but if I
try to
> connect a Jitsi client with a Blink client I cannot make it work.
>
> The Jitsi client registers with the Asterisk server (it processes the
> certificate without problems) but when I try to place a call to the Blink
> client I get a “Call failed – Not acceptable here” error and the Asterisk
> CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device
setup
> to use SRTP, but request was not!” on seing the asterisk cli it was
showing
> me "matched device setup to use srtp but request was not".
>
> Similarly, If I try to place a call from the Blink client to Jitsi, the
> client rings but the call is dropped as soon as I press the Answer
button .
>
>
>
> Maybe I am missing some configuration detail, since it seems that the
Jitsi
> client is expected to use SRTP while it doesn’t.
>
>
>
> Any help would be greatly appreciated.
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

May I step in here?

ZRTP is a protocol that works _after_ the client established the media connection
and uses this connection to negotiate keys and other security parameters. After
this negotiation ZRTP uses this to setup a end-2-end SRTP connection

SDES is a scheme where the clients generate some keymaterial and parameters and
embed this data in the SDP data (content of SIP). If Asterix is a client then
Asterix and Jitsi generate the encryption data and bpoth use it to setup a
SRTP connection. Thus this connection is secure between Asterix and your client.
Very often Asterix acts a B2B SIP applications, thus acts as a client. Even if
it would act as a transparent SIP proxy Asterix knows (or can know) the encryption
parameters. Therefore, SDES is not really End-2-End secure.

DTLS-SRTP is yet another scheme, AFAIK Jitis uses it for its Web RTC code, but I
may be mistaken here.

IIRC in Jitsi you may select either SDES or ZRTP, not sure if it supports to use
both at the same time.

Werner

···

Am 08.12.2014 um 08:40 schrieb Ankew Champ:

Ok sir thanx for your reply,and i have a doubt what about zrtp signalling over it,do i only need to enable sdes or dtls-srtp,please guide me.

On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org <mailto:damencho@jitsi.org>> wrote:

    Hi,

    in the sip account configuration on the Security tab in advance
    settings there is RTP/SAVP indication setting: off, mandatory and
    optional. I think the optional setting is not working with asterisk,
    at least this was the case the last time I was checking it, maybe
    fixed in latest version. You need to be using mandatory.

    Regards
    damencho

    On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com <mailto:ankew.champ@gmail.com>> wrote:
    > Hello sir
    >
    > I need to place SIP calls to and receive SIP calls from other clients
    > registered with the same Asterisk box (v. 1.11), using TLS/SRTP encryption
    > (mandatory). I was making some tests with a Jitsi client and a Blink client
    > (some users like this softphone, while I prefer Jitsi) on a Windows 7
    > machine. When using two Blink clients everything works fine, but if I try to
    > connect a Jitsi client with a Blink client I cannot make it work.
    >
    > The Jitsi client registers with the Asterisk server (it processes the
    > certificate without problems) but when I try to place a call to the Blink
    > client I get a �Call failed � Not acceptable here� error and the Asterisk
    > CLI logs �WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device setup
    > to use SRTP, but request was not!� on seing the asterisk cli it was showing
    > me "matched device setup to use srtp but request was not".
    >
    > Similarly, If I try to place a call from the Blink client to Jitsi, the
    > client rings but the call is dropped as soon as I press the Answer button .
    >
    >
    >
    > Maybe I am missing some configuration detail, since it seems that the Jitsi
    > client is expected to use SRTP while it doesn�t.
    >
    >
    >
    > Any help would be greatly appreciated.
    >
    >
    > _______________________________________________
    > dev mailing list
    > dev@jitsi.org <mailto:dev@jitsi.org>
    > Unsubscribe instructions and other list options:
    > http://lists.jitsi.org/mailman/listinfo/dev

    _______________________________________________
    dev mailing list
    dev@jitsi.org <mailto:dev@jitsi.org>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
Werner Dittmann
email: Werner.Dittmann@t-online.de
cell: +49 173 44 37 659
PGP key: 82EF5E8B


#5

It doesn't matter, but you can remove zrtp if you are using asterisk
as it is not supported there and anyway asterisk will drop that
signaling.

···

On Mon, Dec 8, 2014 at 9:40 AM, Ankew Champ <ankew.champ@gmail.com> wrote:

Ok sir thanx for your reply,and i have a doubt what about zrtp signalling
over it,do i only need to enable sdes or dtls-srtp,please guide me.

On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org> wrote:

Hi,

in the sip account configuration on the Security tab in advance
settings there is RTP/SAVP indication setting: off, mandatory and
optional. I think the optional setting is not working with asterisk,
at least this was the case the last time I was checking it, maybe
fixed in latest version. You need to be using mandatory.

Regards
damencho

On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com> wrote:
> Hello sir
>
> I need to place SIP calls to and receive SIP calls from other clients
> registered with the same Asterisk box (v. 1.11), using TLS/SRTP
> encryption
> (mandatory). I was making some tests with a Jitsi client and a Blink
> client
> (some users like this softphone, while I prefer Jitsi) on a Windows 7
> machine. When using two Blink clients everything works fine, but if I
> try to
> connect a Jitsi client with a Blink client I cannot make it work.
>
> The Jitsi client registers with the Asterisk server (it processes the
> certificate without problems) but when I try to place a call to the
> Blink
> client I get a “Call failed – Not acceptable here” error and the
> Asterisk
> CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device
> setup
> to use SRTP, but request was not!” on seing the asterisk cli it was
> showing
> me "matched device setup to use srtp but request was not".
>
> Similarly, If I try to place a call from the Blink client to Jitsi, the
> client rings but the call is dropped as soon as I press the Answer
> button .
>
>
>
> Maybe I am missing some configuration detail, since it seems that the
> Jitsi
> client is expected to use SRTP while it doesn’t.
>
>
>
> Any help would be greatly appreciated.
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#6

Ok sir i have done accordingly,but in android version when iam trying to
set RTP/SAVP indication setting to mandatory iam still unable to place a
call.

···

On Mon, Dec 8, 2014 at 11:47 AM, Damian Minkov <damencho@jitsi.org> wrote:

It doesn't matter, but you can remove zrtp if you are using asterisk
as it is not supported there and anyway asterisk will drop that
signaling.

On Mon, Dec 8, 2014 at 9:40 AM, Ankew Champ <ankew.champ@gmail.com> wrote:
> Ok sir thanx for your reply,and i have a doubt what about zrtp signalling
> over it,do i only need to enable sdes or dtls-srtp,please guide me.
>
> On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org> > wrote:
>>
>> Hi,
>>
>> in the sip account configuration on the Security tab in advance
>> settings there is RTP/SAVP indication setting: off, mandatory and
>> optional. I think the optional setting is not working with asterisk,
>> at least this was the case the last time I was checking it, maybe
>> fixed in latest version. You need to be using mandatory.
>>
>> Regards
>> damencho
>>
>> On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com> > wrote:
>> > Hello sir
>> >
>> > I need to place SIP calls to and receive SIP calls from other clients
>> > registered with the same Asterisk box (v. 1.11), using TLS/SRTP
>> > encryption
>> > (mandatory). I was making some tests with a Jitsi client and a Blink
>> > client
>> > (some users like this softphone, while I prefer Jitsi) on a Windows 7
>> > machine. When using two Blink clients everything works fine, but if I
>> > try to
>> > connect a Jitsi client with a Blink client I cannot make it work.
>> >
>> > The Jitsi client registers with the Asterisk server (it processes the
>> > certificate without problems) but when I try to place a call to the
>> > Blink
>> > client I get a “Call failed – Not acceptable here” error and the
>> > Asterisk
>> > CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device
>> > setup
>> > to use SRTP, but request was not!” on seing the asterisk cli it was
>> > showing
>> > me "matched device setup to use srtp but request was not".
>> >
>> > Similarly, If I try to place a call from the Blink client to Jitsi,
the
>> > client rings but the call is dropped as soon as I press the Answer
>> > button .
>> >
>> >
>> >
>> > Maybe I am missing some configuration detail, since it seems that the
>> > Jitsi
>> > client is expected to use SRTP while it doesn’t.
>> >
>> >
>> >
>> > Any help would be greatly appreciated.
>> >
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@jitsi.org
>> > Unsubscribe instructions and other list options:
>> > http://lists.jitsi.org/mailman/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#7

Ok sir,but my problem is to connect jitsi-android with desktop,the desktop
version is running smoothly,but when iam trying to set the RTP setting to
mandatory in android it is automatically reverted back to OFF state.I have
set SDES encryption on both end and now jitsi desktop can connect to
android but iam unable to set call vice versa.

···

On Mon, Dec 8, 2014 at 11:55 AM, Werner Dittmann < Werner.Dittmann@t-online.de> wrote:

May I step in here?

ZRTP is a protocol that works _after_ the client established the media
connection
and uses this connection to negotiate keys and other security parameters.
After
this negotiation ZRTP uses this to setup a end-2-end SRTP connection

SDES is a scheme where the clients generate some keymaterial and
parameters and
embed this data in the SDP data (content of SIP). If Asterix is a client
then
Asterix and Jitsi generate the encryption data and bpoth use it to setup a
SRTP connection. Thus this connection is secure between Asterix and your
client.
Very often Asterix acts a B2B SIP applications, thus acts as a client.
Even if
it would act as a transparent SIP proxy Asterix knows (or can know) the
encryption
parameters. Therefore, SDES is not really End-2-End secure.

DTLS-SRTP is yet another scheme, AFAIK Jitis uses it for its Web RTC code,
but I
may be mistaken here.

IIRC in Jitsi you may select either SDES or ZRTP, not sure if it supports
to use
both at the same time.

Werner

Am 08.12.2014 um 08:40 schrieb Ankew Champ:
> Ok sir thanx for your reply,and i have a doubt what about zrtp
signalling over it,do i only need to enable sdes or dtls-srtp,please guide
me.
>
> On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org > <mailto:damencho@jitsi.org>> wrote:
>
> Hi,
>
> in the sip account configuration on the Security tab in advance
> settings there is RTP/SAVP indication setting: off, mandatory and
> optional. I think the optional setting is not working with asterisk,
> at least this was the case the last time I was checking it, maybe
> fixed in latest version. You need to be using mandatory.
>
> Regards
> damencho
>
> On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com > <mailto:ankew.champ@gmail.com>> wrote:
> > Hello sir
> >
> > I need to place SIP calls to and receive SIP calls from other
clients
> > registered with the same Asterisk box (v. 1.11), using TLS/SRTP
encryption
> > (mandatory). I was making some tests with a Jitsi client and a
Blink client
> > (some users like this softphone, while I prefer Jitsi) on a
Windows 7
> > machine. When using two Blink clients everything works fine, but
if I try to
> > connect a Jitsi client with a Blink client I cannot make it work.
> >
> > The Jitsi client registers with the Asterisk server (it processes
the
> > certificate without problems) but when I try to place a call to
the Blink
> > client I get a “Call failed – Not acceptable here” error and the
Asterisk
> > CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched
device setup
> > to use SRTP, but request was not!” on seing the asterisk cli it
was showing
> > me "matched device setup to use srtp but request was not".
> >
> > Similarly, If I try to place a call from the Blink client to
Jitsi, the
> > client rings but the call is dropped as soon as I press the Answer
button .
> >
> >
> >
> > Maybe I am missing some configuration detail, since it seems that
the Jitsi
> > client is expected to use SRTP while it doesn’t.
> >
> >
> >
> > Any help would be greatly appreciated.
> >
> >
> > _______________________________________________
> > dev mailing list
> > dev@jitsi.org <mailto:dev@jitsi.org>
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/dev
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org <mailto:dev@jitsi.org>
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev
>

--
Werner Dittmann
email: Werner.Dittmann@t-online.de
cell: +49 173 44 37 659
PGP key: 82EF5E8B

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#8

I was talking about desktop version, not sure what is the status of
the android version and srtp.

···

On Mon, Dec 8, 2014 at 9:51 AM, Ankew Champ <ankew.champ@gmail.com> wrote:

Ok sir i have done accordingly,but in android version when iam trying to set
RTP/SAVP indication setting to mandatory iam still unable to place a call.

On Mon, Dec 8, 2014 at 11:47 AM, Damian Minkov <damencho@jitsi.org> wrote:

It doesn't matter, but you can remove zrtp if you are using asterisk
as it is not supported there and anyway asterisk will drop that
signaling.

On Mon, Dec 8, 2014 at 9:40 AM, Ankew Champ <ankew.champ@gmail.com> wrote:
> Ok sir thanx for your reply,and i have a doubt what about zrtp
> signalling
> over it,do i only need to enable sdes or dtls-srtp,please guide me.
>
> On Mon, Dec 8, 2014 at 11:30 AM, Damian Minkov <damencho@jitsi.org> >> > wrote:
>>
>> Hi,
>>
>> in the sip account configuration on the Security tab in advance
>> settings there is RTP/SAVP indication setting: off, mandatory and
>> optional. I think the optional setting is not working with asterisk,
>> at least this was the case the last time I was checking it, maybe
>> fixed in latest version. You need to be using mandatory.
>>
>> Regards
>> damencho
>>
>> On Mon, Dec 8, 2014 at 9:11 AM, Ankew Champ <ankew.champ@gmail.com> >> >> wrote:
>> > Hello sir
>> >
>> > I need to place SIP calls to and receive SIP calls from other clients
>> > registered with the same Asterisk box (v. 1.11), using TLS/SRTP
>> > encryption
>> > (mandatory). I was making some tests with a Jitsi client and a Blink
>> > client
>> > (some users like this softphone, while I prefer Jitsi) on a Windows 7
>> > machine. When using two Blink clients everything works fine, but if I
>> > try to
>> > connect a Jitsi client with a Blink client I cannot make it work.
>> >
>> > The Jitsi client registers with the Asterisk server (it processes the
>> > certificate without problems) but when I try to place a call to the
>> > Blink
>> > client I get a “Call failed – Not acceptable here” error and the
>> > Asterisk
>> > CLI logs “WARNING[3006]: chan_sip.c:8432 process_sdp: Matched device
>> > setup
>> > to use SRTP, but request was not!” on seing the asterisk cli it was
>> > showing
>> > me "matched device setup to use srtp but request was not".
>> >
>> > Similarly, If I try to place a call from the Blink client to Jitsi,
>> > the
>> > client rings but the call is dropped as soon as I press the Answer
>> > button .
>> >
>> >
>> >
>> > Maybe I am missing some configuration detail, since it seems that the
>> > Jitsi
>> > client is expected to use SRTP while it doesn’t.
>> >
>> >
>> >
>> > Any help would be greatly appreciated.
>> >
>> >
>> > _______________________________________________
>> > dev mailing list
>> > dev@jitsi.org
>> > Unsubscribe instructions and other list options:
>> > http://lists.jitsi.org/mailman/listinfo/dev
>>
>> _______________________________________________
>> dev mailing list
>> dev@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev