Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-5755

Allow better control over incoming/outgoing secure media offers

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_sofia
    • Security Level: public
    • Labels:
      None
    • CPU Architecture:
      x86
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      All
    • GIT Master Revision hash::
      All

      Description

      Ideally there would be "codec like" means to control inbound and outbound SRTP behavior. Currently setting sip_secure_media/rtp_secure_media doesn't seem to have the expected affect when compared to codecs, for example:

      A leg endpoint sends the following SDP:

         v=0
         o=- 1377289399 1377289399 IN IP4 10.41.22.51
         s=Polycom IP Phone
         c=IN IP4 10.41.22.51
         t=0 0
         a=sendrecv
         m=audio 2222 RTP/SAVP 9 0 8 18 101
         a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:zXsSyzAa4QvE6ZtZDktSWqQSgvOvCrBprAmsMg9p
         a=rtpmap:9 G722/8000
         a=rtpmap:0 PCMU/8000
         a=rtpmap:8 PCMA/8000
         a=rtpmap:18 G729/8000
         a=fmtp:18 annexb=no
         a=rtpmap:101 telephone-event/8000
         m=audio 2222 RTP/AVP 9 0 8 18 101
         a=rtpmap:9 G722/8000
         a=rtpmap:0 PCMU/8000
         a=rtpmap:8 PCMA/8000
         a=rtpmap:18 G729/8000
         a=fmtp:18 annexb=no
         a=rtpmap:101 telephone-event/8000

      If I wanted to select the codec I could parse ${ep_codec_string} and set ${absolute_codec} to the codec I wanted to select. I could also export absolute_codec to contain only the codecs I wanted to offer on the B leg. However, FreeSWITCH will automatically enable crypto in this case on the A leg because of the crypto offer. Ideally I could set sip_secure_media=false and FreeSWITCH would decline the crypto offer on the A leg, just like I can export sip_secure_media to offer crypto on the B leg today.

      However, in this case the Polycom gives control of AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32, RTP/SAVP + RTP/AVP, RTP/SAVP only, etc. Ideally FreeSWITCH would also allow inbound and outbound control over the crypto suite selected/offered.

      I'd also like the ability for FreeSWITCH to offer RTP/AVP + RTP/SAVP on the B leg for selection by the remote endpoint. It seems that allowing the export of "sip_secure_media=both" or "sip_secure_media=optional" might make sense for this.

        Attachments

          Activity

            People

            • Assignee:
              anthm Anthony Minessale II
              Reporter:
              krisk Kristian Kielhofner
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: