I would like to thank Ingo for the kind and patient assistance he
provided. I was really close to giving up on this.
For anyone else that runs into this situation this is what was keeping
me from getting an SRTP connection with asterisk 11:
[2015-03-11 13:44:34] WARNING[22725][C-000015e5]: chan_sip.c:10392
process_sdp: Rejecting secure video stream without encryption details:
video 5014 RTP/SAVP 105 99
Which is caused by keeping the default video codec enabled in Jitsi
for the device account. To fix this requires that under the Encodings
tab for the device account in question one must check the <Override
global encoding settings> box and uncheck all of the Video codecs.
Evidently on a stock install of Jitsi for Linux the Video codec H264
is enabled for all accounts. That also may be (probably) true for the
Windows and OSX versions as well.
So thumbnail sketch for future searchers.
On Jitsi set the account and provider as usual. Then on the Security
tab enable encryption, select SDES only, check at least the AES80
cciper suite and select 'Mandatory (offer and accept only RTP/SAVP)'
in the RTP/SAVP indication selection box. Then on the encodings tab
deslect all video codec and enable global override. In the Global
Options tab set the SIP settings to:
SIP client port: 5060
SIP client secure port: 5061
Enabled SSL?TLS protocols == ALL, excepting SSLV2Hello and SSLv3
On Asterisk:
[general]
. . .
disallow=all
allow=ulaw
allow=alaw
allow=gsm
tcpenable=yes
tlsenable=yes
tlscertfile=/path/to/combined/key/and certificate/chain/file
tlsdontverifyserver=yes
tlscipher=HIGH
tlsclientmethod=tlsv1
. . .
[account id or number]
deny=0.0.0.0/0.0.0.0
secret=whatever
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=auto_force_rport,auto_comedia
port=5061
qualify=yes
qualifyfreq=60
transport=tls
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/90021
mailbox=90021@device
permit=0.0.0.0/0.0.0.0
callerid=Whatever You Call yourself
callcounter=yes
faxdetect=no
cc_monitor_policy=generic
I also set the DNS NAPTR/SRV RRs for our domain as suggested earlier.
These permit us calls to device@harte-lyne.ca rather than having to
specify the exact host or IP address associated with the Asterisk
server. They are shown below for completeness (sorry about the wrap).
;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT
300 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.harte-lyne.ca.
300 IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.harte-lyne.ca.
300 IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.harte-lyne.ca.
;HOST TTL CLASS TYPE ORDER PREF PORT TARGET
_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.
_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
With all that in place then you should be good to go.
Again, many thanks for the help.
···
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3