Summary: | ASTERISK-17505: Announced transfert with Aastra not works | ||
Reporter: | Bernard Merindol (bernard merindol) | Labels: | |
Date Opened: | 2011-03-03 09:24:50.000-0600 | Date Closed: | 2012-07-26 15:51:41 |
Priority: | Minor | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/SRTP |
Versions: | 1.8.3 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) full ( 1) res_srtp.c.patch ( 2) srtppb.pcap | |
Description: | Hi, When use SRTP with aastra phone the announced transfert not works. A call B, B call C for prepare transfert, C accept transfert,B finish transfer. C ear A, but A not ear C. For me this problem is due at C send new crypto key in OK of (re)-Invite. In this cas asterisk not change the key and the RTC traffic from C to a is not uncrypted by Asterisk. In full I see: [Mar 3 16:17:54] WARNING[10455] res_srtp.c: SRTP unprotect: authentication failure [Mar 3 16:17:54] WARNING[10455] res_srtp.c: SRTP unprotect: authentication failure [Mar 3 16:17:54] WARNING[10455] res_srtp.c: SRTP unprotect: authentication failure Before I see: IN OK of aastra (tne C phone) --- SIP read from TLS:192.168.169.214:5061 ---> SIP/2.0 200 OK Via: SIP/2.0/TLS 192.168.169.60:5061;branch=z9hG4bK650a3a5b;rport=5061;received=192.168.169.60 From: "P1001" <sip:1001@192.168.169.60>;tag=as18df4bfc To: <sips:1002@192.168.169.214:5061>;tag=1795192984 Call-ID: 402518d63295ba81158bf5584f87abc3@192.168.169.60:5061 CSeq: 103 INVITE Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK, SUBSCRIBE, INFO Allow-Events: talk, hold, conference, LocalModeStatus Contact: "TCE" <sips:1002@192.168.169.214:5061>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-00085D28CD53>" Require: timer Server: Aastra 6731i/2.6.0.2010 Session-Expires: 900;refresher=uas Supported: gruu, path, timer, replaces Content-Type: application/sdp Content-Length: 297 v=0 o=MxSIP 0 1 IN IP4 192.168.169.214 s=SIP Call c=IN IP4 192.168.169.214 t=0 0 m=audio 8000 RTP/SAVP 8 101 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Tjd2dixXKzBlQ3okdUpGK0IwZHB3Y1lGIXtKJT45 a=fmtp:101 0-15 a=ptime:20 a=sendrecv The asterisk process: [Mar 3 16:16:11] DEBUG[10255] chan_sip.c: Processing media-level (audio) SDP a=rtpmap:101 telephone-event/8000... OK. [Mar 3 16:16:11] DEBUG[10255] res_srtp.c: Policy already exists, not re-adding [Mar 3 16:16:11] WARNING[10255] sip/sdp_crypto.c: Could not set local SRTP policy [Mar 3 16:16:11] DEBUG[10255] chan_sip.c: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Tjd2dixXKzBlQ3okdUpGK0IwZHB3Y1lGIXtKJT45... UNSUPPORTE\ D. [Mar 3 16:16:11] DEBUG[10255] chan_sip.c: Processing media-level (audio) SDP a=fmtp:101 0-15... UNSUPPORTED. [Mar 3 16:16:11] DEBUG[10255] chan_sip.c: Processing media-level (audio) SDP a=ptime:20... OK. [Mar 3 16:16:11] DEBUG[10255] chan_sip.c: Processing media-level (audio) SDP a=sendrecv... OK. In this case Asterisk not change the policy. I have tested with iPHONE with BRIA sip phone in C phone. The transfert works fine. But Bria not change the crypto in OK. Thank for your help. Best regards | ||
Comments: | By: Leif Madsen (lmadsen) 2011-03-03 14:02:28.000-0600 Please also provide a pcap trace of this call without TLS enabled. By: Leif Madsen (lmadsen) 2011-03-03 14:02:47.000-0600 <otherwiseguy> Could be a bug. They could post a pcap file as long as they aren't also using TLS. In any case, probably something that we would just try to reproduce and go from there. By: Bernard Merindol (bernard merindol) 2011-03-07 07:19:05.000-0600 I have added files. asterisk IP: 192.168.169.60 TelA P1000 IP 192.168.169.102 TelB P1001 IP 192.168.169.100 TelC P1002 IP 192.168.169.101 Sory for this IP addresses is my DHCP. By: Bernard Merindol (bernard merindol) 2011-06-25 11:26:32.975-0500 I have resolved this issue by to patch. one in chan_sip.c In process_crypto function change /* For now, when we receive an INVITE just take the first successful crypto line */ if ((*srtp)->crypto && !ast_test_flag(&p->flags[0], SIP_OUTGOING)) { ast_debug(3, "We've already processed a crypto attribute, skipping '%s'\n", a); return FALSE; } /* For now, when we receive an INVITE just take the first successful crypto line */ if ((*srtp)->crypto && !ast_test_flag(&p->flags[0], SIP_OUTGOING)) { ast_debug(3, "We've already processed a crypto attribute, skipping '%s'\n", a); //TNE return FALSE; } To permit change crypto in OK message. Second in res_srtp.c See attached file for this patch is more important. This modification works but I am not very sure on ast_free added in res_srtp.c Best regards By: Bernard Merindol (bernard merindol) 2011-06-25 11:29:32.934-0500 res_srtp.c patch By: Tilt (tiltlit) 2011-12-29 13:43:23.478-0600 Sorry to bring from the dead, but I am also experiencing this same issue. I don't experience this issue with phonerlite (soft client) I can confirm that Aastra 55i(latest FW 3.2.2.56) works with srtp / tls with Asterisk 1.8.8, but not after placing call on hold/conference etc. /// [Dec 29 11:33:47] VERBOSE[8098] netsock2.c: == Using SIP RTP TOS bits 184 [Dec 29 11:33:47] VERBOSE[8098] netsock2.c: == Using SIP RTP CoS mark 5 [Dec 29 11:33:47] VERBOSE[8098] app_dial.c: -- Called SIP/trunk-outbound/5555555555 [Dec 29 11:33:49] VERBOSE[8098] app_dial.c: -- SIP/trunk-outbound-00000036 is making progress passing it to SIP/203-00000035 [Dec 29 11:34:06] VERBOSE[8098] app_dial.c: -- SIP/trunk-outbound-00000036 answered SIP/203-00000035 [Dec 29 11:34:11] VERBOSE[8098] res_musiconhold.c: -- Started music on hold, class 'default', on SIP/trunk-outbound-00000036 [Dec 29 11:34:47] VERBOSE[8098] res_musiconhold.c: -- Stopped music on hold on SIP/trunk-outbound-00000036 [Dec 29 11:34:48] WARNING[8098] res_srtp.c: SRTP unprotect: authentication failure 10 [Dec 29 11:34:50] WARNING[8098] res_srtp.c: SRTP unprotect: authentication failure 110 /// Quoted -- from "Bernard Merindol" "This modification works but I am not very sure on ast_free added in res_srtp.c" Any developer comments on the above statement/patch? thank you! By: Bernard Merindol (bernard merindol) 2012-03-10 04:01:40.115-0600 Hi, I have tested this patch https://reviewboard.asterisk.org/r/1741/ but not resolv all of this issue But if you change chan_sip.c /* For now, when we receive an INVITE just take the first successful crypto line */ if ((*srtp)->crypto && !ast_test_flag(&p->flags[0], SIP_OUTGOING)) { ast_debug(3, "We've already processed a crypto attribute, skipping '%s'\n", a); return FALSE; } by /* For now, when we receive an INVITE just take the first successful crypto line */ if ((*srtp)->crypto && !ast_test_flag(&p->flags[0], SIP_OUTGOING)) { ast_debug(3, "We've already processed a crypto attribute, skipping '%s'\n", a); // return FALSE; } Is works fine. In issue ASTERISK-17505 this change is proposed. Best regards Bernard By: Matt Jordan (mjordan) 2012-07-26 15:10:44.252-0500 There were a number of patches that went in to try and accommodate this behavior. Please test with Asterisk 1.8.13.0 or later and let us know if there are still problems with re-INVITE requests the request new SRTP keys. By: Bernard Merindol (bernard merindol) 2012-07-26 15:16:46.965-0500 Hi Matt, Thank for this comment. This issue is close for me. From version 1.8.11 the re-invite works fine in SRTP. I have removed my patch and use the normal Asterisk for my customers. Thank and best regards Bernard |