[jitsi-users] TLS and SRTP on Jitsi


#1

Good Day.

We are trying to set up Jitsi with TLS and SRTP
Any ideas why this isn't working in Jitsi?
Is there a configuration parameter we missed?
The switch we are registered to is rejecting the call with an unsupported media message when using Jitsi with TLS SRTP

Here are two examples of the Jitsi invites:

No TLS SRTP: which registers and can make a successful call

INVITE sip:760002@10.3.xx.xx SIP/2.0
Call-ID: d0e6d76b7b7c9acf258c6a18ce3ee2b3@0:0:0:0:0:0:0:0
CSeq: 2 INVITE
Max-Forwards: 70

ยทยทยท

From: "760001Jitsi" <sip:760001@10.3.xx.xx>;tag=4274808a
To: <sip:760002@10.3.xx.xx>
Contact: "760001Jitsi" <sip:760001@10.2.xx.xx:5060;transport=udp;registering_acc=10_3_xx_xx>
User-Agent: Jitsi2.10.5550Windows 7
Content-Type: application/sdp
Via: SIP/2.0/UDP 10.2.xx.xx:5060;branch=z9hG4bK-323230-a795b1f160bf0c926bdb19e99ab74dd1
Authorization: Digest username="760001",realm="10.3.xx.xx",nonce="9f21ae9a40d2",uri="sip:760002@10.3.xx.xx",response="e9cfadfda7cdd07ab8402e943f314875",algorithm=MD5,qop=auth,cnonce="xyz",nc=00000001
Content-Length: 307

v=0
o=760001-jitsi.org 0 0 IN IP4 10.2.xx.xx
s=-
c=IN IP4 10.2.xx.xx
t=0 0
m=audio 5016 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level
a=extmap:2 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=rtcp-xr:voip-metrics

With TLS SRTP: registers but will not make or accept a call

INVITE sip:760002@10.3.xx.xx SIP/2.0
Call-ID: b92efd9c685ed30e36b92e3904103d78@0:0:0:0:0:0:0:0
CSeq: 1 INVITE
From: "760001Jitsi" <sip:760001@10.3.xx.xx>;tag=d4dc3e57
To: <sip:760002@10.3.xx.xx>
Via: SIP/2.0/TLS 10.2.xx.xx:40448;branch=z9hG4bK-323230-46357191a983c07f59695904b7a51ad2
Max-Forwards: 70
Contact: "760001Jitsi" <sip:760001@10.2.xx.xx:40448;transport=tls;registering_acc=10_3_xx_xx>
User-Agent: Jitsi2.10.5550Windows 7
Content-Type: application/sdp
Content-Length: 735

v=0
o=760001-jitsi.org 0 0 IN IP4 10.2.xx.xx
s=-
c=IN IP4 10.2.xx.xx
t=0 0
m=audio 5014 UDP/TLS/RTP/SAVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level
a=extmap:2 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=rtcp-xr:voip-metrics
a=setup:actpass
a=fingerprint:sha-1 97:3F:18:33:0B:A8:26:CC:FD:9B:08:F6:90:5F:5A:42:19:A5:D5:0B
m=audio 5014 RTP/SAVPF 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level
a=extmap:2 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=rtcp-xr:voip-metrics
a=setup:actpass
a=fingerprint:sha-1 97:3F:18:33:0B:A8:26:CC:FD:9B:08:F6:90:5F:5A:42:19:A5:D5:0B

I am also using a SIP client from Microsip that will work with and without TLS SRTP.
I have configured both Jitsi and Microsip with identical set up information.

I do not have to provide any cert information in the Microsip set up for TLS SRTP

Microsip with TLS SRTP
Via: SIP/2.0/TCP 10.3.xx.xx:5060;branch=z9hG4bK+f94c17895dfa93b04bb199e9bcccdfee1+sip+1+a986f97d
From: "Jerry HIL Sub" <sip:760002@10.3.xx.xx>;tag=10.3.xx.xx+1+59485c92+c88061ee
To: <sip:760001@10.3.xx.xx>
CSeq: 16787 INVITE
Expires: 180
Content-Length: 598
Supported: replaces,timer,norefersub, 100rel
Contact: <sip:961b116e4ea06fef2c92b81812192d8c@10.3.xx.xx:5060;ob>;+sip.ice
Content-Type: application/sdp
Via: SIP/2.0/TLS xx.xx.xx.xx:55017;received=xx.xx.xx.xx;rport=55017;alias;branch=z9hG4bKPj8c7a46b73e00425ea033509ba8e03918
Max-Forwards: 69
Call-ID: 0gQAAC8WAAACBAAALxYAAGChk/ClOIVLeZI0MeTNYjA8JCf32nb3D0i6f8ssLvN3@10.3.xx.xx
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Session-Expires: 1800
Min-SE: 90
User-Agent: MicroSIP/3.15.10
Accept: application/sdp, application/dtmf-relay

v=0
o=- 33634407917890 33634407917890 IN IP4 10.3.xx.xx
s=-
c=IN IP4 10.3.xx.xx
t=0 0
a=X-nat:0
m=audio 35788 RTP/AVP 8 0 101
b=TIAS:64000
a=sendrecv
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=rtcp:59702 IN IP4 10.2.xxx.xx
a=fmtp:101 0-16
a=ice-ufrag:4ae13d6c
a=ice-pwd:2cd672ae
a=candidate:Ha027016 1 UDP 2130706431 10.2.xxx.xx 59700 typ host
a=candidate:Hc0a83801 1 UDP 2130706431 192.168.xx.x 59700 typ host
a=candidate:Ha027016 2 UDP 2130706430 10.2.xxx.xx 59702 typ host
a=candidate:Hc0a83801 2 UDP 2130706430 192.168.xx.x 59702 typ host

Jerry Chinn
Telecom VoIP Specialist
NAVIS More Performance. More Profit.
tel 541-330-3562
www.TheNavisWay.com<http://www.thenavisway.com/>
Facebook<https://www.facebook.com/theNAVISway/> | Twitter<https://twitter.com/NAVISway> | LinkedIn<https://www.linkedin.com/company/navisway> | Blog<https://www.thenavisway.com/blog>


#2

We are trying to set up Jitsi with TLS and SRTP

Any ideas why this isn't working in Jitsi?

Is there a configuration parameter we missed?

From what I can see in the traces:

- Jitsi sends an invite with DTLS-SRTP enabled
- The Microsip invites are NOT using SRTP

I'm not sure what kind of key exchange you're trying to use. SDES maybe?
Make sure you enable it in the SIP account's advanced security options.

The switch we are registered to is rejecting the call with an unsupported
media message when using Jitsi with TLS SRTP

[...]
Jerry Chinn
Telecom VoIP Specialist

Ingo