488 Not Acceptable Here in Incoming calls with SRTP


I got the error 488 Not Acceptable Here when i am trying incomping calls from a freeswitch and using SRTP, when i make outgoing calls they work correctly.

I send the invite to the FreePBX correctly with the m=audio RTP/SAVP.
I have configured in the extensión (chan sip) SRTP, in the trunk (chan sip) encryption=yes, in the advanced settings of settings, SRTP .
I don’t really know why is it failing, and i’m not able to see the debug because even with verbose nothing is show.
I have also set AVP to yes to force the SAVP

I don’t want to use TLS, only SRTP

│ │ │o=FreeSWITCH 1655269491 1655269492 IN IP4 XX.XX.XX.XX
│ │ │s=FreeSWITCH
│ │ │c=IN IP4
│ │ │t=0 0
│ │ │m=audio 30338 RTP/SAVP 8 0 101 13
│ │ │a=rtpmap:8 PCMA/8000
│ │ │a=rtpmap:0 PCMU/8000
│ │ │a=rtpmap:101 telephone-event/8000
│ │ │a=fmtp:101 0-15
│ │ │a=rtpmap:13 CN/8000
│ │ │a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:frm9FHV/cTepRS0MWyG4DC//+BLzcaHOtoCKLEab
│ │ │a=ptime:20

That’s not possible, because SRTP sends key material (frm9FHV/cTepRS0MWyG4DC) in the SDP exchange, and if that is not encrypted, anyone monitoring your traffic can obtain the keys for the SRTP encryption. It offers no security advantage over plain RTP, in practice, and can lead to a false sense of security.

Also chan_sip is deprecated and is scheduled for removal in the Autumn 2023 release of Asterisk. It is, effectively, unmaintained.

1 Like

Use PJSIP as said allready :slight_smile:

In the extension, check that you have Selected AUTO in the transport.
This will accept UDP/TCP/TLS.

Check also that you are using the right port, port can be different if you are using chan_SIP or PJISP.

I use FreePBX 15 with TLS/SRTP and IPv6 and it work fine.

It looks like chan_pjsip may have safeties off in this respect, as it says you should, rather than must, use TLS. You’ll have to try it to be certain.

I’d note that PJSUA, which Asterisk doesn’t use, defaults to having the safeties on, although they can be disabled.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.