SRTP supported ciphers

I’ve enabled SRTP encryption to my SIP trunk provider (Telnyx). However, I’ve noticed that on outgoing calls, FreePBX 16 / Asterisk 20 only advertises a single relatively weak cipher in the SIP messages:

a=crypto:1 AES_CM_128_HMAC_SHA1_80

For incoming calls, my trunk provider supports many stronger ciphers:

a=crypto:1 AEAD_AES_256_GCM_8 inline:wJ06fTsijm5YKwSkNPaQHqMZUYc8sj+yUHM/mHYll8eR6rs2Yi9Q/FhrQRQ=
a=crypto:2 AEAD_AES_256_GCM inline:5T2WajWNH6oD3vLYW4oOEQ+K/9FHxIE2aCp9n/k0crd4l4B7DZxc0Mag9/4=
a=crypto:3 AEAD_AES_128_GCM_8 inline:lXGJ7syrTExu7rkmpLAseUCBUdIi4goOmJup8A==
a=crypto:4 AEAD_AES_128_GCM inline:KsJH9N0RGICrWyyE7hexkRTd8sLy62GfGDlDdw==
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:qxEQakwQRAmnuyy40hcLzgyc0Hp+yjDZfH8mUZlZoa1JeQbOiMomlotlLAVBqg==
a=crypto:6 AES_192_CM_HMAC_SHA1_80 inline:nuM0x+EgLYs7WchoaQDdqaVf1h8kx8nuIR141yXfoW6Ew7H7/30=
a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:8vZxC13ss3vrXwv2ijEgZxOP6C8JQE5kVbd7MmKS
a=crypto:8 AES_256_CM_HMAC_SHA1_32 inline:C1zVv+av9dWZ3sZ4AflThmUdSd5IwcGU0B9Htwyq3W6J2nk1/9RxZi+0G8mQCQ==
a=crypto:9 AES_192_CM_HMAC_SHA1_32 inline:fNfQSbDEHEZOHW0repp0q0BXH/ZJ5M9zjFjFarxYzTYlHUvtVK0=
a=crypto:10 AES_CM_128_HMAC_SHA1_32 inline:sb7jd9XAoARrsH1OUixpac0fxVxlgGqGdLK+6eII
a=crypto:11 AES_CM_128_NULL_AUTH inline:OJuxawzOKuLh8Fk3wa5a7MGakJ2Y/3ZIFyvGpPWF

However, FreePBX still picks the same relatively weak cipher in the negotiation (#7 in the above list).

PJSIP apparently supports many other ciphers:

raspbx*CLI> pjsip list ciphers
Available ciphers: 'TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES256-CCM8, ECDHE-ECDSA-AES256-CCM, DHE-RSA-AES256-CCM8, DHE-RSA-AES256-CCM, ECDHE-ECDSA-ARIA256-GCM-SHA384, ECDHE-ARIA256-GCM-SHA384, DHE-DSS-ARIA256-GCM-SHA384, DHE-RSA-ARIA256-GCM-SHA384, ADH-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES128-CCM, DHE-RSA-AES128-CCM8, DHE-RSA-AES128-CCM, ECDHE-ECDSA-ARIA128-GCM-SHA256, ECDHE-ARIA128-GCM-SHA256, DHE-DSS-ARIA128-GCM-SHA256, DHE-RSA-ARIA128-GCM-SHA256, ADH-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, ECDHE-ECDSA-CAMELLIA256-SHA384, ECDHE-RSA-CAMELLIA256-SHA384, DHE-RSA-CAMELLIA256-SHA256, DHE-DSS-CAMELLIA256-SHA256, ADH-AES256-SHA256, ADH-CAMELLIA256-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, ECDHE-ECDSA-CAMELLIA128-SHA256, ECDHE-RSA-CAMELLIA128-SHA256, DHE-RSA-CAMELLIA128-SHA256, DHE-DSS-CAMELLIA128-SHA256, ADH-AES128-SHA256, ADH-CAMELLIA128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, AECDH-AES128-SHA, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY1305, ECDHE-PSK-CHACHA20-POLY1305, DHE-PSK-AES256-CCM8, DHE-PSK-AES256-CCM, RSA-PSK-ARIA256-GCM-SHA384, DHE-PSK-ARIA256-GCM-SHA384, AES256-GCM-SHA384, AES256-CCM8, AES256-CCM, ARIA256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, PSK-AES256-CCM8, PSK-AES256-CCM, PSK-ARIA256-GCM-SHA384, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-CCM8, DHE-PSK-AES128-CCM, RSA-PSK-ARIA128-GCM-SHA256, DHE-PSK-ARIA128-GCM-SHA256, AES128-GCM-SHA256, AES128-CCM8, AES128-CCM, ARIA128-GCM-SHA256, PSK-AES128-GCM-SHA256, PSK-AES128-CCM8, PSK-AES128-CCM, PSK-ARIA128-GCM-SHA256, AES256-SHA256, CAMELLIA256-SHA256, AES128-SHA256, CAMELLIA128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, ECDHE-PSK-CAMELLIA256-SHA384, RSA-PSK-CAMELLIA256-SHA384, DHE-PSK-CAMELLIA256-SHA384, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA, PSK-CAMELLIA256-SHA384, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, ECDHE-PSK-CAMELLIA128-SHA256, RSA-PSK-CAMELLIA128-SHA256, DHE-PSK-CAMELLIA128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA, PSK-CAMELLIA128-SHA256, ECDHE-ECDSA-NULL-SHA, ECDHE-RSA-NULL-SHA, AECDH-NULL-SHA, NULL-SHA256, ECDHE-PSK-NULL-SHA384, ECDHE-PSK-NULL-SHA256, ECDHE-PSK-NULL-SHA, RSA-PSK-NULL-SHA384, RSA-PSK-NULL-SHA256, DHE-PSK-NULL-SHA384, DHE-PSK-NULL-SHA256, RSA-PSK-NULL-SHA, DHE-PSK-NULL-SHA, NULL-SHA, NULL-MD5, PSK-NULL-SHA384, PSK-NULL-SHA256, PSK-NULL-SHA, DEFAULT, @SECLEVEL=1, @SECLEVEL=2, @SECLEVEL=3, @SECLEVEL=4, @SECLEVEL=5'

So why is it only advertising one? Is there any way to configure this?

Thanks.

Try adding to /etc/asterisk/pjsip_custom_post.conf (for example):

[0.0.0.0-tls](+type=transport)
cipher=TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

then restart Asterisk.
pjsip show transport 0.0.0.0-tls
should show the change.

Of course, use your actual transport name and desired ciphers.

Thanks Stewart. Unfortunately, this doesn’t seem to work. Adding the desired ciphers, even though they should be compatible with the trunk provider based on what is being advertised, results in cipher negotiation failing with no common ciphers found, so the trunk doesn’t connect. Not sure why and haven’t had the time to troubleshoot further yet.

Thanks anyway though!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.