Getting SRTP to work with FreePBX 17

We recently “upgraded” from FreePBX 15 to 17, and we had a number of communication issues immediately after. It seems that the thing they all had in common was that SRTP was enabled.

Most of our phones are Poly VVX 450, but we also use some other manufacturers and models; the problem exists regardless of model. The VVX450 is just the easiest to refer to, because we use EPM for it.

On extension 4291 (as an example), if in FreePBX I set:
Media Encryption = SRTP via in-SDP (recommended)
Allow Non-Encrypted Media (Opportunistic SRTP) = Yes (or no, makes no difference)
and the Polycom SIP-Interop.cfg includes:
sec.srtp.offer=1
sec.srtp.require=0 (or 1, makes no difference)

Then the call fails.

The only way I have found to get calls to work is to set:
Media Encryption = None
and/or
sec.srtp.offer=0

Basically, if either side prohibits SRTP and the other side is OK with that, then the call will succeed. But if both sides optionally accept SRTP, or if either side or both sides make it mandatory, the call will fail.

In the system log, whenever a call fails for this reason, I see:

ERROR[177858] res_pjsip_session.c: 4291: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)

I’ve used pjsip logger to see if I can find anything more useful, and… it’s not helping me, but maybe it will help someone else. Hence my making this post. :wink:

e[0K<--- Received SIP request (1259 bytes) from TLS:10.200.63.40:61268 --->
INVITE sip:[email protected]:5061;user=phone;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.200.63.40:61268;branch=z9hG4bKe84be92c79316637
From: "4291-Display Name" <sip:[email protected]:5061>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>
CSeq: 1 INVITE
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
Contact: <sip:[email protected]:61268;transport=tls>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
User-Agent: PolycomVVX-VVX_450-UA/6.4.6.2681
Accept-Language: en
Supported: replaces,100rel
Allow-Events: conference,talk,hold
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 559

v=0
o=- 1736887304 1736887304 IN IP4 10.200.63.40
s=Polycom IP Phone
c=IN IP4 10.200.63.40
t=0 0
a=sendrecv
m=audio 2222 RTP/SAVP 0 8 18 9 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:S+AcF4EvckyX6vfy1yncN6yPHs+WLVQtG8FoWGvR
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
m=audio 2222 RTP/AVP 0 8 18 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000

<--- Transmitting SIP response (564 bytes) to TLS:10.200.63.40:61268 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.200.63.40:61268;rport=61268;received=10.200.63.40;branch=z9hG4bKe84be92c79316637
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
From: "4291-Display Name" <sip:[email protected]>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>;tag=z9hG4bKe84be92c79316637
CSeq: 1 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1736887304/828301edf317221745e8ab8f6c96fe22",opaque="2450f4d71cb0267a",algorithm=MD5,qop="auth"
Server: Crosstalk PBX-17.0.19.23(21.6.0)
Content-Length:  0


e[Kvoip2*CLI> 
e[0K<--- Received SIP request (620 bytes) from TLS:10.200.63.40:61268 --->
ACK sip:[email protected]:5061;user=phone;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.200.63.40:61268;branch=z9hG4bKe84be92c79316637
From: "4291-Display Name" <sip:[email protected]>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>;tag=z9hG4bKe84be92c79316637
CSeq: 1 ACK
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
Contact: <sip:[email protected]:61268;transport=tls>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
User-Agent: PolycomVVX-VVX_450-UA/6.4.6.2681
Accept-Language: en
Max-Forwards: 70
Content-Length: 0


e[Kvoip2*CLI> 
e[0K<--- Received SIP request (1581 bytes) from TLS:10.200.63.40:61268 --->
INVITE sip:[email protected]:5061;user=phone;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.200.63.40:61268;branch=z9hG4bK74bc47d8696A9709
From: "4291-Display Name" <sip:[email protected]:5061>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>
CSeq: 2 INVITE
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
Contact: <sip:[email protected]:61268;transport=tls>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
User-Agent: PolycomVVX-VVX_450-UA/6.4.6.2681
Accept-Language: en
Supported: replaces,100rel
Allow-Events: conference,talk,hold
Authorization: Digest username="4291", realm="asterisk", nonce="1736887304/828301edf317221745e8ab8f6c96fe22", qop=auth, cnonce="wSY2m76g+dMAZIl", nc=00000001, opaque="2450f4d71cb0267a", uri="sip:[email protected]:5061;user=phone;transport=tls", response="b0d9a8f331b90f12f692de5e22c33d07", algorithm=MD5
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 559

v=0
o=- 1736887304 1736887304 IN IP4 10.200.63.40
s=Polycom IP Phone
c=IN IP4 10.200.63.40
t=0 0
a=sendrecv
m=audio 2222 RTP/SAVP 0 8 18 9 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:S+AcF4EvckyX6vfy1yncN6yPHs+WLVQtG8FoWGvR
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
m=audio 2222 RTP/AVP 0 8 18 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000

e[Kvoip2*CLI> 
e[0K<--- Transmitting SIP response (384 bytes) to TLS:10.200.63.40:61268 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 10.200.63.40:61268;rport=61268;received=10.200.63.40;branch=z9hG4bK74bc47d8696A9709
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
From: "4291-Display Name" <sip:[email protected]>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>
CSeq: 2 INVITE
Server: Crosstalk PBX-17.0.19.23(21.6.0)
Content-Length:  0


e[Kvoip2*CLI> 
e[0Ke[1;30m  == e[0mUsing SIP RTP Audio TOS bits 184
e[Kvoip2*CLI> 
e[0Ke[1;30m  == e[0mUsing SIP RTP Audio CoS mark 5
e[Kvoip2*CLI> 
e[0K[2025-01-14 15:41:44] e[1;31mERRORe[0m[177858]: e[1;37mres_pjsip_session.ce[0m:e[1;37m946e[0m e[1;37mhandle_incoming_sdpe[0m:  4291: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
e[Kvoip2*CLI> 

e[0K<--- Transmitting SIP response (438 bytes) to TLS:10.200.63.40:61268 --->
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 10.200.63.40:61268;rport=61268;received=10.200.63.40;branch=z9hG4bK74bc47d8696A9709
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
From: "4291-Display Name" <sip:[email protected]>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>;tag=4056c26b-f43e-45dc-ad20-7c34433fbca5
CSeq: 2 INVITE
Server: Crosstalk PBX-17.0.19.23(21.6.0)
Content-Length:  0


e[Kvoip2*CLI> 
e[0K<--- Received SIP request (633 bytes) from TLS:10.200.63.40:61268 --->
ACK sip:[email protected]:5061;user=phone;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.200.63.40:61268;branch=z9hG4bK74bc47d8696A9709
From: "4291-Display Name" <sip:[email protected]>;tag=CB87FCE-74D2D477
To: <sip:[email protected];user=phone>;tag=4056c26b-f43e-45dc-ad20-7c34433fbca5
CSeq: 2 ACK
Call-ID: c0f0874679a6117fd3a2d7af0e72482a
Contact: <sip:[email protected]:61268;transport=tls>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
User-Agent: PolycomVVX-VVX_450-UA/6.4.6.2681
Accept-Language: en
Max-Forwards: 70
Content-Length: 0

Does anyone have any advice for me? Please? Thanks in advance.

Yeah, set only one codec on both sides and test again. 488 is generally thrown when things like SDP (codecs) don’t match.

It’s also thrown when the encryption options don’t match, or for SAVP versus SAVPF conflicts (SIP v WebRTC).

I reconfigured a Poly phone so that g722 was the only acceptable codec, and then changed the extension in FreePBX to:

Disallowed Codecs: all
Allowed Codecs: g722

I also set both the phone and FreePBX to make SRTP mandatory. I wound up with the same result (488).

I don’t really understand how the codec could be the problem though… because the phone is perfectly capable of communication with FreePBX if SRTP is disabled. The two scenarios use the exact same codecs, right? Or am I missing something fundamental?

I was just making sure it wasn’t a codec issue since the was never a response showing the codecs on the PBX side.

In the Polycom you only have Enable SRTP set to yes? That’s default even when not using TLS. Did you enable Offer SRTP which tells the phone to offer the SRTP options in the media stream?

Yes, I’ve made sure that sec.srtp.offer is set to 1. As you mentioned, sec.srtp.enable is also set to 1 (as is default).

sec.srtp.require can be set to either 0 or 1, it doesn’t seem to matter; if it’s offered, then the call fails.

So, trying to figure out if it’s something to do with encryption, I tried to call into the system from the PSTN and send the call to this extension, to see what the SAVP offer would be. … I couldn’t even find any communication where it tried reaching the endpoints. I did find this:

[2025-01-14 19:52:09] VERBOSE[249329][C-0000010f] app_dial.c: Called PJSIP/4291/sip:[email protected]:56325;transport=TLS
[2025-01-14 19:52:09] VERBOSE[249329][C-0000010f] app_dial.c: Called PJSIP/4291/sips:[email protected]:62343;transport=TLS;rinstance=CB5ABE9F;x-ast-orig-host=10.65.16.2:62343
[2025-01-14 19:52:09] VERBOSE[249329][C-0000010f] app_dial.c: Called PJSIP/4291/sip:[email protected]:35044;transport=TLS;x-ast-orig-host=192.168.9.101:55926
[2025-01-14 19:52:09] VERBOSE[177858] netsock2.c: Using SIP RTP Audio TOS bits 184
[2025-01-14 19:52:09] VERBOSE[177858] netsock2.c: Using SIP RTP Audio CoS mark 5
[2025-01-14 19:52:09] VERBOSE[190757] netsock2.c: Using SIP RTP Audio TOS bits 184
[2025-01-14 19:52:09] VERBOSE[190757] netsock2.c: Using SIP RTP Audio CoS mark 5
[2025-01-14 19:52:09] ERROR[190757] res_pjsip_session.c:  PJSIP/4291-000001ae: Couldn't add sdp streams for stream 0:audio-0:audio:sendrecv (g722)
[2025-01-14 19:52:09] VERBOSE[208304] netsock2.c: Using SIP RTP Audio TOS bits 184
[2025-01-14 19:52:09] VERBOSE[208304] netsock2.c: Using SIP RTP Audio CoS mark 5
[2025-01-14 19:52:09] ERROR[208304] res_pjsip_session.c:  PJSIP/4291-000001ad: Couldn't add sdp streams for stream 0:audio-0:audio:sendrecv (g722)
[2025-01-14 19:52:09] ERROR[177858] res_pjsip_session.c:  PJSIP/4291-000001af: Couldn't add sdp streams for stream 0:audio-0:audio:sendrecv (g722)

Is it possible that pjsip didn’t attempt to contact the endpoints despite the above?

So I’ve determined that res_srtp.so is not loaded. Should it be? From what I’m reading online, it should be, but… I’ve never needed to dig into that before.

CLI> module load res_srtp.so
Unable to load module res_srtp.so
Command 'module load res_srtp.so' failed.
[2025-01-14 21:41:39] ERROR[266608]: loader.c:283 module_load_error: Error loading module 'res_srtp.so': libsrtp2.so.1: cannot open shared object file: No such file or directory

I just installed FreePBX 15 on a test VM, and res_srtp.so is loaded by default there.

I think you’re missing libsrtp2-dev package. Do apt list --installed | grep -i libsrtp you should see

libsrtp2-1/stable,stable,stable,now 2.5.0-3 amd64 [installed,automatic]
libsrtp2-dev/stable,stable,stable,now 2.5.0-3 amd64 [installed]

Yep, definitely not installed.

It looks like libsrtp2-dev is installed only if you pass --dev to the install script. That feels like a problem. Certainly SRTP should be available without installing all of the development libraries?

(I understand I could install libsrtp2-dev as a one-off. Now I’m just wondering why / what’s gone wrong somewhere.)

I didn’t pass that flag in my v17 installs…it was installed on the machines.

this could be due to latest script changes , are you sure you need dev package, may be just try with libsrtp2-1 package.

EDIT : However , looks like basic srtp package is missing in the default package list, so i will check this internally and add the package if required.

It is required to support TLS. How did something this important get removed and no one caught it?

1 Like

dev package was added into the default list and that dev package moved to --dev list. Ideally we should have without dev package into the default list, which was not present since day1.

Welp.

root@voip2:~# apt install libsrtp2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libnspr4 libnss3
The following NEW packages will be installed:
  libnspr4 libnss3 libsrtp2-1
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,488 kB of archives.
After this operation, 4,666 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 libnspr4 amd64 2:4.35-1 [113 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 libnss3 amd64 2:3.87.1-1+deb12u1 [1,331 kB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 libsrtp2-1 amd64 2.5.0-3 [43.9 kB]
Fetched 1,488 kB in 0s (3,013 kB/s)
Selecting previously unselected package libnspr4:amd64.
(Reading database ... 155625 files and directories currently installed.)
Preparing to unpack .../libnspr4_2%3a4.35-1_amd64.deb ...
Unpacking libnspr4:amd64 (2:4.35-1) ...
Selecting previously unselected package libnss3:amd64.
Preparing to unpack .../libnss3_2%3a3.87.1-1+deb12u1_amd64.deb ...
Unpacking libnss3:amd64 (2:3.87.1-1+deb12u1) ...
Selecting previously unselected package libsrtp2-1:amd64.
Preparing to unpack .../libsrtp2-1_2.5.0-3_amd64.deb ...
Unpacking libsrtp2-1:amd64 (2.5.0-3) ...
Setting up libnspr4:amd64 (2:4.35-1) ...
Setting up libnss3:amd64 (2:3.87.1-1+deb12u1) ...
Setting up libsrtp2-1:amd64 (2.5.0-3) ...
Processing triggers for libc-bin (2.36-9+deb12u9) ...
Usage: grep [OPTION]... PATTERNS [FILE]...
Try 'grep --help' for more information.
Usage: grep [OPTION]... PATTERNS [FILE]...
Try 'grep --help' for more information.
Please wait for approx 2 min once apt command execution is completed as dahdi-linux-kmod- kmod-wanpipe- update in progress
root@voip2:~# warning: commands will be executed using /bin/sh
job 4 at Wed Jan 15 00:09:00 2025

root@voip2:~#
root@voip2:~#
root@voip2:~#
root@voip2:~# asterisk -rvvvvvv
Asterisk 21.6.0, Copyright (C) 1999 - 2022, Sangoma Technologies Corporation and others.
Created by Mark Spencer <[email protected]>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 21.6.0 currently running on voip2 (pid = 1712)

voip2*CLI> module load res_srtp.so
Loaded res_srtp.so
  == libsrtp2 2.5.0 initialized
       > Loaded res_srtp.so => (Secure RTP (SRTP))
voip2*CLI>

Not terribly surprising: making an SRTP protected call “just works” with res_srtp.so loaded.

It looks like the install script has been in this state for about the last week, so I imagine I’m not the only one to have built a FreePBX instance in that time.

My next curiosity is why the apt install process includes grep’s syntax help just before a dahdi message.

Here is the issue with the change made on Jan 3rd to the install script…no one seems to realize that moving libsrtp2-dev to the --dev only flag meant they needed to make sure that libsrtp-1 (which was being installed as a dependency of libsrtp2-dev) has to now be a package in the standard install.

If there is a change to how the install script works, including removing or adding packages to the standard install process it needs to be fully tested. This update broken FreePBX’s ability to use the TLS protocol for chan_pjsip for the last 12 days.

In fact, I’m seeing that there missing static/shard libraries that would have been installed under the -dev version of the package that are missing from the standard install…for example libspandsp is completely missing from the standard install package list.

So by using the -dev versions to install everything it seems no one realized that not using them as part of the standard install meant they needed to make sure the standard packages were at least being installed.

I’m not coming down on you @kgupta but we’ve been told at length that there’s an entire testing and QA process and for almost two weeks now the install script hasn’t been installing needed packages for basic functionality of the PBX such as SIP TLS and SpanDSP which is needed for faxing and DTMF.

2 Likes

I agree @BlazeStudios , somehow this got missed from our testing and working on the same right now to fix asap.

1 Like

just fyi - Added both the “srtp” and “spandsp” package into the default package list.

Regards
Kapil

1 Like

More specifically, this is what has been added (so far):

apt install "libsrtp2-1" "libspandsp2" "libncurses5" "autoconf" "libical3" "libneon27" "libsnmp40" "libtonezone" "libbluetooth3" "libunbound8" "libsybdb5" "libspeexdsp1" "libiksemel3" "libresample1" "libgmime-3.0-0" "libc-client2007e"

Thanks for your fast response, once you became aware of the issue, @kgupta .

I echo @BlazeStudios 's concerns about testing/QA. That these packages were able to be removed from the install script at all, is astounding.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.