488 Not Acceptable Here in Incoming calls with SRTP

ainamestre · June 15, 2022, 1:47pm

Hi,

I got the error 488 Not Acceptable Here when i am trying incomping calls from a freeswitch and using SRTP, when i make outgoing calls they work correctly.

I send the invite to the FreePBX correctly with the m=audio RTP/SAVP.
I have configured in the extensión (chan sip) SRTP, in the trunk (chan sip) encryption=yes, in the advanced settings of settings, SRTP .
I don’t really know why is it failing, and i’m not able to see the debug because even with verbose nothing is show.
I have also set AVP to yes to force the SAVP

I don’t want to use TLS, only SRTP

INVITE:
v=0
│ │ │o=FreeSWITCH 1655269491 1655269492 IN IP4 XX.XX.XX.XX
│ │ │s=FreeSWITCH
│ │ │c=IN IP4 109.167.76.244
│ │ │t=0 0
│ │ │m=audio 30338 RTP/SAVP 8 0 101 13
│ │ │a=rtpmap:8 PCMA/8000
│ │ │a=rtpmap:0 PCMU/8000
│ │ │a=rtpmap:101 telephone-event/8000
│ │ │a=fmtp:101 0-15
│ │ │a=rtpmap:13 CN/8000
│ │ │a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:frm9FHV/cTepRS0MWyG4DC//+BLzcaHOtoCKLEab
│ │ │a=ptime:20

david55 · June 15, 2022, 1:51pm

That’s not possible, because SRTP sends key material (frm9FHV/cTepRS0MWyG4DC) in the SDP exchange, and if that is not encrypted, anyone monitoring your traffic can obtain the keys for the SRTP encryption. It offers no security advantage over plain RTP, in practice, and can lead to a false sense of security.

Also chan_sip is deprecated and is scheduled for removal in the Autumn 2023 release of Asterisk. It is, effectively, unmaintained.

wifx · June 15, 2022, 6:31pm

Use PJSIP as said allready

In the extension, check that you have Selected AUTO in the transport.
This will accept UDP/TCP/TLS.

Check also that you are using the right port, port can be different if you are using chan_SIP or PJISP.

I use FreePBX 15 with TLS/SRTP and IPv6 and it work fine.

david55 · June 15, 2022, 7:10pm

It looks like chan_pjsip may have safeties off in this respect, as it says you should, rather than must, use TLS. You’ll have to try it to be certain.

github.com

asterisk/asterisk/blob/1cdaeb8161f47c1b6cb295725404c10aaababc02/res/res_pjsip/pjsip_config.xml#L756

      
        
            				</configOption>
            				<configOption name="media_encryption" default="no">
            					<synopsis>Determines whether res_pjsip will use and enforce usage of media encryption
            					for this endpoint.</synopsis>
            					<description>
            						<enumlist>
            							<enum name="no"><para>
            								res_pjsip will offer no encryption and allow no encryption to be setup.
            							</para></enum>
            							<enum name="sdes"><para>
            								res_pjsip will offer standard SRTP setup via in-SDP keys. Encrypted SIP
            								transport should be used in conjunction with this option to prevent
            								exposure of media encryption keys.
            							</para></enum>
            							<enum name="dtls"><para>
            								res_pjsip will offer DTLS-SRTP setup.
            							</para></enum>
            						</enumlist>
            					</description>
            				</configOption>
            				<configOption name="media_encryption_optimistic" default="no">

I’d note that PJSUA, which Asterisk doesn’t use, defaults to having the safeties on, although they can be disabled.

system · July 16, 2022, 7:11pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.