TLS/SRTP Internal Call issues

R

Robert Birch

Member
Mar 16, 2017
117
5
18
53
Hey Everyone,

I am running on FusionxPBX 5.3.8.
I have enabled TLS and SRTP.

I have a Yealink and a Grandstream phone for testing. Both set to Mandatory SRTP.
When I make outbound calls from either handset, I get valid encryption: AES_CM_128_HMAC_SHA1_80 from the Yealink and AEAD_AES_256_GCM from the Grandstream.
Incoming I get AES_CM_128_HMAC_SHA1_80 to the Yealink and both AES_CM_128_HMAC_SHA1_80 and AEAD_AES_256_GCM to the Grandstream.

I think that part is fine and working correctly.

My issue is with internal calling.
When I call from either one, the calls go straight to voicemail. I get INCOMPATIBLE_DESTINATION error in the CDR for the call. I am assuming it is one phone is using one encryption cipher and the other is using a different cipher, and they don't negotiate.

If I set SRTP to Optional on the Grandstream, I can call the Yealink phone due to no SRTP being used. If I set the Yealink to Optional, it still fails.

Is there something I am missing? Or is it just an issue because of the different manufacturers?

Thanks for the help.
 
I would love to hear some opinions on this too. I've done a lot of work with TLS but SRTP has been hit or miss between different manufacturers to the point that i just had to disable it sometimes
 
Think I managed to figure it out.
I had to change my DialPlan to force SRTP.
Here's what I changed.

Under DialPlan -> DialPlan Manager
Edited local_extension (Down near the bottom. Entry 890)
At the bottom of the page, add the following:

Tag = Action
Type=export
Data=rtp_secure_media=mandatory
Order=71

Should look like this:
local_extension.png

Hopefully that helps someone else out.

Thanks
 
The issue with that is if you have a device that doesn't support TLS or SRTP, it will fail. I had an issue with an older paging system that only connected with UDP, and also some test softphones I used.
 
That is a good point. It does require TLS.
Should have prefaced with that info. We use TLS so I didn't really think about it.

Is there a better way to do it?

Thanks.
 
Last edited:
I'm all about TLS. It's the way to go. But some devices don't like it, and it causes issues. I have probably 99% of all devices on TLS, though.
 
You must log in or register to reply here.
Top Bottom