[jitsi-dev] SDES question


#1

Hi all,

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this problem?

Thanks
damencho


#2

2011-11-01 16:13:07 +0100, Emil Ivov:

> Hi all,
>
> I have an account connected to asterisk and with secure call enabled.
> In order to work (outgoing calls) the option "Mandatory (offer and
> accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
> first, then RTP/AVP)" asterisk complains "Faling due to too many media
> streams" and fails to create the call. But if Mandatory is selected
> and someone tries to call you without able to secure the call the call
> fails it our side with:
> OperationFailedException: Offer contained no valid media descriptions.

Incidentally, could we please change that to something that
indicates the failure is due to lack of security. I had
already seen the above message and was thinking it was a codec
problem.

[...]

Actually, after doing the same tests, I had sent the SDP traces
from jitsi with the duplicate media parameters asterisk was
complaining about.

http://thread.gmane.org/gmane.comp.voip.sip-communicator.devel/11390/focus=11396

I don't know if it's valid or not for jitsi to do it that way:
both
m=audio 5008 RTP/SAVP 9 96 97 98 100 0 8 102 3 103 5 6 15 101
and
m=audio 5008 RTP/AVP 9 96 97 98 100 0 8 102 3 103 5 6 15 101
in same SDP, but that's what asterisk doesn't like.

I remember testing another softphone (possibly blink of
sflphone) that had similar settings for SDES but worked OK
with asterisk, so they must be doing it differently.

···

On 1 nov. 2011, at 16:08, Damian Minkov <damencho@jitsi.org> wrote:

--
Stephane


#3

Hey

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this
problem?

Yes, this is kind of expected: Asterisk hard-fails any offer that contains more than 3 media stream offers.

Maybe I should add an option to offer only SAVP, but accept AVP and SAVP. On the other hand, if you're connected to an Asterisk that requires you to set SAVP, who calls you directly (e.g. without Asterisk being involved)?

In the end this setting is really not important for us: The only difference between the two media offers is the "S" in the profile name. Asterisk though only accepts SDES streams with the SAVP profile, so we need to send it.
The three choices in our advanced settings are inspired from the Snom hardphones setting: http://wiki.snom.com/Settings/user_savp

Thanks
damencho

Regards,
Ingo


#4

Hey

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Incidentally, could we please change that to something that indicates the
failure is due to lack of security. I had already seen the above message and
was thinking it was a codec problem.

Sure, I'm working on it. Although the exception will be a bit probabilistic: The AVP profile offer is not further checked (codecs etc.) when SAVP is required. But I guess that doesn't matter too much; if the new Exception is thrown, diagnosed, and solved, the normal checking kicks in again.

Regards,
Ingo


#5

Hey Stephane

Actually, after doing the same tests, I had sent the SDP traces
from jitsi with the duplicate media parameters asterisk was
complaining about.

http://thread.gmane.org/gmane.comp.voip.sip-
communicator.devel/11390/focus=11396

I don't know if it's valid or not for jitsi to do it that way:
both
m=audio 5008 RTP/SAVP 9 96 97 98 100 0 8 102 3 103 5 6 15 101
and
m=audio 5008 RTP/AVP 9 96 97 98 100 0 8 102 3 103 5 6 15 101
in same SDP, but that's what asterisk doesn't like.

I remember testing another softphone (possibly blink of
sflphone) that had similar settings for SDES but worked OK
with asterisk, so they must be doing it differently.

Sorry for ignoring you back then. I concentrated on the SRTCP auth failure messages in that thread.

Ingo


#6

Hi,

Hey

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this
problem?

Yes, this is kind of expected: Asterisk hard-fails any offer that contains more than 3 media stream offers.

Maybe I should add an option to offer only SAVP, but accept AVP and SAVP. On the other hand, if you're connected to an Asterisk that requires you to set SAVP, who calls you directly (e.g. without Asterisk being involved)?

Well actually asterisk is involved, the difference is that the phone
I'm using to call jitsi doesn't support sdes.

In the end this setting is really not important for us: The only difference between the two media offers is the "S" in the profile name. Asterisk though only accepts SDES streams with the SAVP profile, so we need to send it.
The three choices in our advanced settings are inspired from the Snom hardphones setting: http://wiki.snom.com/Settings/user_savp

Thanks
damencho

Regards,
Ingo

Regards
damencho

···

On Tue, Nov 1, 2011 at 5:51 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:


#7

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this
problem?

Yes, this is kind of expected: Asterisk hard-fails any offer that
contains more than 3 media stream offers.

Maybe I should add an option to offer only SAVP, but accept AVP and SAVP.

On the other hand, if you're connected to an Asterisk that requires you to
set SAVP, who calls you directly (e.g. without Asterisk being involved)?

Well actually asterisk is involved, the difference is that the phone
I'm using to call jitsi doesn't support sdes.

Hmmm... I thought I tested that with Snom/Jitsi via Asterisk... I'm investigating this a bit :slight_smile:

Ingo


#8

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this
problem?

Yes, this is kind of expected: Asterisk hard-fails any offer that
contains more than 3 media stream offers.

Maybe I should add an option to offer only SAVP, but accept AVP and SAVP.
On the other hand, if you're connected to an Asterisk that requires you to
set SAVP, who calls you directly (e.g. without Asterisk being involved)?

Well actually asterisk is involved, the difference is that the phone
I'm using to call jitsi doesn't support sdes.

I just tested calls like this:

Snom 320 (SRTP/SDES and SAVP disabled) <-> Asterisk (encryption=no for Snom, yes for Jitsi) <-> Jitsi (SDES enabled, SAVP mandatory)

Calling from Snom -->> Jitsi worked, while Jitsi -->> Snom did not. We could now argue who's at fault:
Case 1 is a security "upgrade", the unencrypted call from the Snom is secured at Asterisk. In case 2 however, the initially secured call would be "downgraded" at Asterisk - which it doesn't do (it only offers SAVP to the Snom).

I'm not sure how we want to proceed from here - apparently the case that you had works for me? Could you please describe a bit more what you tried and the Asterisk settings (e.g. the "encryption" attribute for the "users" in sip.conf)?

Regards,
Ingo


#9

Hi,

I have an account connected to asterisk and with secure call enabled.
In order to work (outgoing calls) the option "Mandatory (offer and
accept only RTP/SAVP)" must be selected, if "Optional (offer RTP/SAVP
first, then RTP/AVP)" asterisk complains "Faling due to too many media
streams" and fails to create the call. But if Mandatory is selected
and someone tries to call you without able to secure the call the call
fails it our side with:
OperationFailedException: Offer contained no valid media descriptions.

Is this normal or I am missing something? Is there resolution for this
problem?

Yes, this is kind of expected: Asterisk hard-fails any offer that
contains more than 3 media stream offers.

Maybe I should add an option to offer only SAVP, but accept AVP and SAVP.
On the other hand, if you're connected to an Asterisk that requires you to
set SAVP, who calls you directly (e.g. without Asterisk being involved)?

Well actually asterisk is involved, the difference is that the phone
I'm using to call jitsi doesn't support sdes.

I just tested calls like this:

Snom 320 (SRTP/SDES and SAVP disabled) <-> Asterisk (encryption=no for Snom, yes for Jitsi) <-> Jitsi (SDES enabled, SAVP mandatory)

Calling from Snom -->> Jitsi worked, while Jitsi -->> Snom did not. We could now argue who's at fault:
Case 1 is a security "upgrade", the unencrypted call from the Snom is secured at Asterisk. In case 2 however, the initially secured call would be "downgraded" at Asterisk - which it doesn't do (it only offers SAVP to the Snom).

I'm not sure how we want to proceed from here - apparently the case that you had works for me? Could you please describe a bit more what you tried and the Asterisk settings (e.g. the "encryption" attribute for the "users" in sip.conf)?

Regards,
Ingo

Actually I'm calling from Siemens S675IP to asterisk 1.8.1.1 and to
Jitsi (SDES enabled with mandatory selected). No encryption option in
asterisk configs.
Well when I put encryption=no to the siemens account and
encryption=yes the Jitsi everything seems fine, calls both ways.
The only limitation in this situation is that Jitsi cannot
place/receive calls if not using SDES.

Regards
damencho

···

On Tue, Nov 1, 2011 at 6:57 PM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:


#10

Actually I'm calling from Siemens S675IP to asterisk 1.8.1.1 and to
Jitsi (SDES enabled with mandatory selected). No encryption option in
asterisk configs.
Well when I put encryption=no to the siemens account and
encryption=yes the Jitsi everything seems fine, calls both ways.
The only limitation in this situation is that Jitsi cannot
place/receive calls if not using SDES.

Isn't that the whole idea of the encryption setting in Asterisk?
If the encryption attribute of Asterisk's Jitsi config is set to yes, and the Asterisk account in Jitsi is configured as SDES mandatory, everything works, right? So I don't quite get why you'd need a further optional SDES setting and how it should behave?
Can you enlighten me? :slight_smile:

Besides: apart from the encryption attribute in the Asterisk's sip.conf, there are further SDES options in the dialplan ([1]).

Regards
damencho

Regards,
Ingo

[1] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics


#11

Hi again,

Actually I'm calling from Siemens S675IP to asterisk 1.8.1.1 and to
Jitsi (SDES enabled with mandatory selected). No encryption option in
asterisk configs.
Well when I put encryption=no to the siemens account and
encryption=yes the Jitsi everything seems fine, calls both ways.
The only limitation in this situation is that Jitsi cannot
place/receive calls if not using SDES.

Isn't that the whole idea of the encryption setting in Asterisk?
If the encryption attribute of Asterisk's Jitsi config is set to yes, and the Asterisk account in Jitsi is configured as SDES mandatory, everything works, right? So I don't quite get why you'd need a further optional SDES setting and how it should behave?
Can you enlighten me? :slight_smile:

Yes you are right, I was thinking to be able to make secure and non
secure calls from the same account, for example you go somewhere away
from your pc and use your account from other software/hardware which
don't support sdes.

Thanks for clearing this out and for the link for the diaplan description.
damencho

···

On Wed, Nov 2, 2011 at 10:15 AM, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

Besides: apart from the encryption attribute in the Asterisk's sip.conf, there are further SDES options in the dialplan ([1]).

Regards
damencho

Regards,
Ingo

[1] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics


#12

Yes you are right, I was thinking to be able to make secure and non
secure calls from the same account, for example you go somewhere away
from your pc and use your account from other software/hardware which
don't support sdes.

Well, we kind of support that with the optional setting (offer SAVP, then AVP), but Asterisk doesn't :slight_smile: (Because of the hardcoded limit of 3 media descriptions...)

If you disable video in Jitsi, you should be able to make a call to Asterisk with RTP/SAVP set to optional. Asterisk should then pick the SAVP audio stream offered first and ignore the second, insecure offer.

Which leads me to a completely different feature we might want to introduce:
- Set our codec preferences per account instead
- Or at least an option to disable video per account

Thanks for clearing this out and for the link for the diaplan
description. damencho

Ingo