[jitsi-dev] SRTP null


#1

Hi all,

In latest nightly build (Win7) I can no longer get SRTP working.
In fact the check box for SRTP in the UI is either blank or has the string
null where it used to say SRTP.
I've tried checking the blank checkbox anyway and making SRTP mandatory,
but on the server side I can see that there is no crypto info being sent in
SDP.

Since I've used SRTP in the past with Jitsi, I believe that some recent
update broke the SRTP implementation. ZRTP works fine. The problem is only
with SRTP.

Also, on another topic, is it not possible to have multiple SIP accounts
configured with the same ID? What I mean is that on my PBX I have created 2
profiles with different ports that have different default behaviors. (ie.
one profile listens on 5061 and is configured for ZRTP exclusively, while
another listens on 5071 and is configured for SRTP). Whenever I try to
create these almost identical accounts Jitsi just ignores the creation of
the 2nd one (presumably because the SIP ID is identical to the first one).
Is there any way around this? In other open source clients I've used (like
CSipSimple) I'm able to have these 2 different accounts and choose between
the 2. I'd like to have this option in Jitsi too.


#2

Hey

In latest nightly build (Win7) I can no longer get SRTP working.

In fact the check box for SRTP in the UI is either blank or has the string
null where it used to say SRTP.

I've tried checking the blank checkbox anyway and making SRTP mandatory,

but

on the server side I can see that there is no crypto info being sent in

SDP.

This is a UI problem, SDES itself is working. You can fix that temporarily
by manually editing your config-file and replacing the occurrence of ".null"
with ".SDES".

Vincent, could you take a look at that?

Since I've used SRTP in the past with Jitsi, I believe that some recent
update broke the SRTP implementation. ZRTP works fine. The problem is only
with SRTP.

Actually, the recent update should have fixed "long" calls. See this thread:
http://markmail.org/message/vi4kbpy6w4w7f4bd

Also, on another topic, is it not possible to have multiple SIP accounts
configured with the same ID? What I mean is that on my PBX I have created

2

profiles with different ports that have different default behaviors. (ie.

one

profile listens on 5061 and is configured for ZRTP exclusively, while

another

listens on 5071 and is configured for SRTP). Whenever I try to create

these

almost identical accounts Jitsi just ignores the creation of the 2nd one
(presumably because the SIP ID is identical to the first one). Is there

any

way around this? In other open source clients I've used (like CSipSimple)

I'm

able to have these 2 different accounts and choose between the 2. I'd like

to

have this option in Jitsi too.

You cannot have two accounts with the same ID. Create a second extension to
test this, eg. 1234@example.org and 4321@example.com

Regards,
Ingo


#3

Thanks for the quick reply.

I think it's more than a UI issue. I also presumed initially it was an UI
bug and so I'd already tried enabling the null/blank SRTP checkbox as you
can see in my attached screenshot.
Although Jitsi registers fine to my freeswitch server using TLS transport
and mandatory SRTP/SDES, it is not sending any crypto in the SDP as is
clear in the FS logs. If I uncheck SRTP/null and check ZRTP it sends the
ZRTP hash fine, so maybe you broke something when fixing the "long call"
issue.

v=0
o=1002 0 0 IN IP4 192.168.1.101
s=-
c=IN IP4 192.168.1.101
t=0 0
m=audio 5006 RTP/SAVP 96 97 98 100 9 102 103 104 105 0 8 3 106 4 101
a=rtpmap:96 opus/48000
a=fmtp:96 usedtx=1
a=rtpmap:97 SILK/24000
a=fmtp:97 useinbandfec=1
a=rtpmap:98 SILK/16000
a=fmtp:98 useinbandfec=1
a=rtpmap:100 SILK/12000
a=fmtp:100 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:102 speex/32000
a=rtpmap:103 speex/16000
a=rtpmap:104 SILK/8000
a=fmtp:104 useinbandfec=1
a=rtpmap:105 iLBC/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:106 speex/8000
a=rtpmap:4 G723/8000
a=fmtp:4 annexa=no;bitrate=6.3
a=rtpmap:101 telephone-event/8000
a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level
m=video 5008 RTP/SAVP 107 99 108
a=rtpmap:107 H264/90000
a=fmtp:107 profile-level-id=4DE01f;packetization-mode=1
a=rtpmap:99 H264/90000
a=fmtp:99 profile-level-id=4DE01f
a=rtpmap:108 H263-1998/90000
a=fmtp:108 CIF=1;QCIF=1;CUSTOM=1440,900,2;VGA=2
a=recvonly
a=imageattr:107 send * recv [x=[0-1440],y=[0-900]]
a=imageattr:99 send * recv [x=[0-1440],y=[0-900]]

···

On Sun, Jan 6, 2013 at 10:02 PM, Ingo Bauersachs <ingo@jitsi.org> wrote:

Hey

> In latest nightly build (Win7) I can no longer get SRTP working.
>
> In fact the check box for SRTP in the UI is either blank or has the
string
> null where it used to say SRTP.
>
> I've tried checking the blank checkbox anyway and making SRTP mandatory,
but
> on the server side I can see that there is no crypto info being sent in
SDP.

This is a UI problem, SDES itself is working. You can fix that temporarily
by manually editing your config-file and replacing the occurrence of
".null"
with ".SDES".

Vincent, could you take a look at that?

> Since I've used SRTP in the past with Jitsi, I believe that some recent
> update broke the SRTP implementation. ZRTP works fine. The problem is
only
> with SRTP.

Actually, the recent update should have fixed "long" calls. See this
thread:
http://markmail.org/message/vi4kbpy6w4w7f4bd

> Also, on another topic, is it not possible to have multiple SIP accounts
> configured with the same ID? What I mean is that on my PBX I have created
2
> profiles with different ports that have different default behaviors. (ie.
one
> profile listens on 5061 and is configured for ZRTP exclusively, while
another
> listens on 5071 and is configured for SRTP). Whenever I try to create
these
> almost identical accounts Jitsi just ignores the creation of the 2nd one
> (presumably because the SIP ID is identical to the first one). Is there
any
> way around this? In other open source clients I've used (like CSipSimple)
I'm
> able to have these 2 different accounts and choose between the 2. I'd
like
to
> have this option in Jitsi too.

You cannot have two accounts with the same ID. Create a second extension to
test this, eg. 1234@example.org and 4321@example.com

Regards,
Ingo


#4

I think it's more than a UI issue. I also presumed initially it was an UI

bug

and so I'd already tried enabling the null/blank SRTP checkbox as you can

see

in my attached screenshot.

Have you edited your config file manually as indicated? Just checking the
"null" option in the UI is not enough. As working config would look like
this.

net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL.SDES=0
net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL.ZRTP=1
net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL_STATUS.SDES=true
net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL_STATUS.ZRTP=false

You need to close Jitsi before you make the edit or your changes won't be
seen and will be overwritten.

Although Jitsi registers fine to my freeswitch server using TLS transport

and

mandatory SRTP/SDES, it is not sending any crypto in the SDP as is clear

in

the FS logs. If I uncheck SRTP/null and check ZRTP it sends the ZRTP hash
fine, so maybe you broke something when fixing the "long call" issue.

It's working fine here against Asterisk servers. Please double check the
config-file.

Regards,
Ingo


#5

Hi Ingo,

Indeed the changes were overwritten because Jitsi was still open. My
mistake.
Now SRTP/SDES does seem to work, although the lock in the call is still
shown as red/unencrypted, even though it also shows SRTP as the media
stream transport protocol.

thanks

···

On Mon, Jan 7, 2013 at 12:41 AM, Ingo Bauersachs <ingo@jitsi.org> wrote:

> I think it's more than a UI issue. I also presumed initially it was an UI
bug
> and so I'd already tried enabling the null/blank SRTP checkbox as you can
see
> in my attached screenshot.

Have you edited your config file manually as indicated? Just checking the
"null" option in the UI is not enough. As working config would look like
this.

net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL.SDES=0

net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL.ZRTP=1

net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL_STATUS.SDES=true

net.java.sip.communicator.impl.protocol.sip.acc1356446531328.ENCRYPTION_PROT
OCOL_STATUS.ZRTP=false

You need to close Jitsi before you make the edit or your changes won't be
seen and will be overwritten.

> Although Jitsi registers fine to my freeswitch server using TLS transport
and
> mandatory SRTP/SDES, it is not sending any crypto in the SDP as is clear
in
> the FS logs. If I uncheck SRTP/null and check ZRTP it sends the ZRTP hash
> fine, so maybe you broke something when fixing the "long call" issue.

It's working fine here against Asterisk servers. Please double check the
config-file.

Regards,
Ingo


#6

Indeed the changes were overwritten because Jitsi was still open. My

mistake.

Now SRTP/SDES does seem to work,

Good to hear.

although the lock in the call is still shown
as red/unencrypted, even though it also shows SRTP as the media stream
transport protocol.

This is a known problem and Yana is looking at it.

thanks

Regards,
Ingo