Questions About SRTP

Home » Asterisk Users » Questions About SRTP
Asterisk Users 3 Comments

Hi all,

I’m getting ready to setup SIP/TLS and SRTP. But I have a few questions. The first one is that I was reading an article at:

https://supportforums.cisco.com/docs/DOC-15381

That indicated that Asterisk doesn’t support TLS as an OPTIONAL transport. It’s either all or nothing. Specifically, this is what it said:

==============================================
*Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the

3 thoughts on - Questions About SRTP

  • Mike Diehl wrote:

    Your statement is incorrect. Asterisk supports TLS as an optional signaling transport (although if you do SDES SRTP without it then someone can snoop on your keys and ultimately decrypt your media).

    What it does not support is optional *SRTP*. If a device requests SRTP
    and it’s not possible, the call will fail.

  • So then, is it safe to say that Asterisk will ALLOW a secure phone call, but the client hast to REQUEST it?

    I understand that requesting SRTP without SIP/TLS is evil; I just misunderstood what I was reading.

    I’m also thinking that the AGI script I use to route calls can check if either leg of a call comes from or goes to port 5061 and play a sound file to indicate that the cal is ‘secure.’ Does this seem reasonable?

    Thanks,

    Mike.