06-13-2020 11:06 AM - edited 06-13-2020 11:14 AM
I'm in the process of integrating my Cisco IP 8861 3PCC with Freeswitch but see some interesting behavior in regards to SRTP crypto. I am on sip88xx.11-3-1MPP-697.loads firmware which I believe is the latest for this phone.
Freeswitch passes the following line for crypto in the INVITE SDP:
a=crypto:1 AEAD_AES_256_GCM_8 inline:obfuscated
a=crypto:2 AEAD_AES_128_GCM_8 inline:obfuscated
a=crypto:3 AES_256_CM_HMAC_SHA1_80 inline:obfuscated
a=crypto:4 AES_192_CM_HMAC_SHA1_80 inline:obfuscated
a=crypto:5 AES_CM_128_HMAC_SHA1_80 inline:obfuscated
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:obfuscated
a=crypto:7 AES_192_CM_HMAC_SHA1_32 inline:obfuscated
a=crypto:8 AES_CM_128_HMAC_SHA1_32 inline:obfuscated
a=crypto:9 AES_CM_128_NULL_AUTH inline:obfuscated
But then the phone replies back with:
a=crypto:1 AEAD_AES_256_GCM inline:obfuscated.
I see two problems with this:
1. How can the phone reply back with AEAD_AES_256_GCM (not the same as AEAD_AES_256_GCM_8) when that isn't even in the original invite list. It's assumed that the Invite SDP contains what the remote side supports so if the phone doesn't support any of the cryptos specified in the Invite SDP it should respond back with the appropriate SIP unsupported message or something like that. In this case the phone does support at least one of the options which is AES_CM_128_HMAC_SHA1_80 but refuses to choose that for the encryption.
2. In the case where in the phone Audio Configuration -> Encryption Method: AES 128 is chosen:
06-19-2020 01:22 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide