Olli Heiskanen
2014-Jul-26 09:58 UTC
[asterisk-users] Rejecting secure audio stream without encryption details - when using ws clients and Kamailio integration
Greetings, I've noticed a problem that might originate from my Asterisk configuration, could use a hand in sorting it out. Problem is a 488 response from Asterisk whenever it gets RTP/SAVPF profile in the SDP. My current setup has Asterisk Kamailio realtime integration, and Kamailio uses dispatcher to route calls for Asterisk to handle. Now I have only one Asterisk, on the same machine as Kamailio. The version is 11.10.2. With Kamailio I use rtpengine, which affects SDP descriptions when 488 response is received. My goal is to enable two websocket clients using Chrome to call each other, using Kamailio as outbound proxy. Kamailio routes signaling to Asterisk, and then back to clients. Currently the problem is RTP, when INVITE is received from client A to Kamailio, it is relayed to Asterisk. Asterisk responds with 488 Not Acceptable here and the cli says: NOTICE[11642][C-00000006]: chan_sip.c:10124 process_sdp: Received SAVPF profle in audio offer but AVPF is not enabled, enabling: audio 30212 RTP/SAVPF 111 103 104 0 8 106 105 13 126 WARNING[11642][C-00000006]: chan_sip.c:10509 process_sdp: Rejecting secure audio stream without encryption details: audio 30212 RTP/SAVPF 111 103 104 0 8 106 105 13 126 Strange thing is, I don't know why Asterisk says AVPF is not enabled. The warning about rejecting the audio stream must be behind the 488 response but I didn't find any answers that would solve my case so I must turn to you guys. In my sip.conf I have savpf=yes, but is there something else I need to enable or change in the configs or change my peer configurations? I'm not sure if this is relevant but I checked that Asterisk was successfully compiled with res_srtp module. Here's my sip.conf contents: bindport = 5070 ; using this since Kamailio is at 5060 bindaddr = PU.BL.IC.IP tcpenable = yes ;no limitonpeers = yes rtcachefriends = yes ; for realtime rtupdate=yes tos_sip=cs3 tos_audio=ef useragent=MyAsterisk realm = myrealm.com autodomain=no domain=PU.BL.IC.IP domain=testers.com allowexternaldomains=no allowguest=no avpf=yes encryption=yes transport=ws,udp icesupport=yes srvlookup=yes And here's an example of a ws client in my realtime peer table: id: 4 name: 660 ipaddr: PU.BL.IC.IP port: 5060 regseconds: 1406368294 defaultuser: 660 fullcontact: sip:660 at PU.BL.IC.IP:5060 regserver: useragent: lastms: 0 host: dynamic type: friend context: default deny: 0.0.0.0/0.0.0.0 permit: PU.BL.IC.IP secret: NULL md5secret: NULL remotesecret: NULL transport: NULL dtmfmode: NULL directmedia: NULL nat: force_rport,comedia callgroup: NULL pickupgroup: NULL language: NULL disallow: NULL allow: NULL insecure: NULL trustrpid: NULL progressinband: NULL promiscredir: NULL useclientcode: NULL accountcode: NULL setvar: NULL callerid: NULL amaflags: NULL callcounter: NULL busylevel: NULL allowoverlap: NULL allowsubscribe: NULL videosupport: NULL maxcallbitrate: NULL rfc2833compensate: NULL mailbox: NULL session-timers: NULL session-expires: NULL session-minse: NULL session-refresher: NULL t38pt_usertpsource: NULL regexten: NULL fromdomain: testers.com fromuser: 660 qualify: NULL defaultip: NULL rtptimeout: NULL rtpholdtimeout: NULL sendrpid: NULL outboundproxy: PU.BL.IC.IP timert1: NULL timerb: NULL qualifyfreq: NULL constantssrc: NULL contactpermit: NULL contactdeny: NULL usereqphone: NULL textsupport: NULL faxdetect: NULL buggymwi: NULL auth: NULL fullname: NULL trunkname: NULL cid_number: NULL callingpres: NULL mohinterpret: NULL mohsuggest: NULL parkinglot: NULL hasvoicemail: NULL subscribemwi: NULL vmexten: NULL autoframing: NULL rtpkeepalive: NULL call-limit: NULL g726nonstandard: NULL ignoresdpversion: NULL allowtransfer: NULL dynamic: NULL path: NULL supportpath: NULL sippasswd: my-md5-pwd rpid: NULL domain: testers.com sippasswd2: NULL I'd greatly appreciate help on this! cheers, Olli -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140726/27df226f/attachment.html>
Olli Heiskanen
2014-Aug-01 08:56 UTC
[asterisk-users] Rejecting secure audio stream without encryption details - when using ws clients and Kamailio integration
Hi, I got ahead with my setup, this post helped me much: http://forums.digium.com/viewtopic.php?f=1&t=90167&sid=66fdf8cc4be5d955ba584e989a23442f At least the avpf setting had to be removed from sip.conf and put in the realtime db table, defined per client. I left the encryption setting in sip.conf. I had some problems calling from SIP client to another, then had to define avpf=no for those clients. Personally I don't like to use different settings to different clients, is there a way around this? With this setup I can make calls between SIP clients but not ws clients. My client (now I use sip.js) fails to parse the sdp - including the apparently correct rtp profile UDP/TLS/RTP/SAVPF - and sends back 488, which makes the call fail. I'd like to hear opinions from you guys which would be the correct place to handle this? My setup has Asterisk Kamailio realtime integration, and I use dispatcher in Kamailio to route calls to Asterisk. Kamailio sounds like the logical place, but I'd rather find a way to not change the rtp profile along the way, at least until the clients can support that one. cheers, Olli 2014-07-26 12:58 GMT+03:00 Olli Heiskanen <ohjelmistoarkkitehti at gmail.com>:> > Greetings, > > I've noticed a problem that might originate from my Asterisk > configuration, could use a hand in sorting it out. Problem is a 488 > response from Asterisk whenever it gets RTP/SAVPF profile in the SDP. > > My current setup has Asterisk Kamailio realtime integration, and Kamailio > uses dispatcher to route calls for Asterisk to handle. Now I have only one > Asterisk, on the same machine as Kamailio. The version is 11.10.2. With > Kamailio I use rtpengine, which affects SDP descriptions when 488 response > is received. > > My goal is to enable two websocket clients using Chrome to call each > other, using Kamailio as outbound proxy. Kamailio routes signaling to > Asterisk, and then back to clients. Currently the problem is RTP, when > INVITE is received from client A to Kamailio, it is relayed to Asterisk. > Asterisk responds with 488 Not Acceptable here and the cli says: > > NOTICE[11642][C-00000006]: chan_sip.c:10124 process_sdp: Received SAVPF > profle in audio offer but AVPF is not enabled, enabling: audio 30212 > RTP/SAVPF 111 103 104 0 8 106 105 13 126 > WARNING[11642][C-00000006]: chan_sip.c:10509 process_sdp: Rejecting > secure audio stream without encryption details: audio 30212 RTP/SAVPF 111 > 103 104 0 8 106 105 13 126 > > > Strange thing is, I don't know why Asterisk says AVPF is not enabled. The > warning about rejecting the audio stream must be behind the 488 response > but I didn't find any answers that would solve my case so I must turn to > you guys. In my sip.conf I have savpf=yes, but is there something else I > need to enable or change in the configs or change my peer configurations? > > I'm not sure if this is relevant but I checked that Asterisk was > successfully compiled with res_srtp module. > > Here's my sip.conf contents: > > bindport = 5070 ; using this since Kamailio is at 5060 > bindaddr = PU.BL.IC.IP > tcpenable = yes ;no > limitonpeers = yes > rtcachefriends = yes ; for realtime > rtupdate=yes > tos_sip=cs3 > tos_audio=ef > useragent=MyAsterisk > realm = myrealm.com > > autodomain=no > domain=PU.BL.IC.IP > domain=testers.com > > allowexternaldomains=no > allowguest=no > avpf=yes > encryption=yes > > transport=ws,udp > icesupport=yes > srvlookup=yes > > > And here's an example of a ws client in my realtime peer table: > > id: 4 > name: 660 > ipaddr: PU.BL.IC.IP > port: 5060 > regseconds: 1406368294 > defaultuser: 660 > fullcontact: sip:660 at PU.BL.IC.IP:5060 > regserver: > useragent: > lastms: 0 > host: dynamic > type: friend > context: default > deny: 0.0.0.0/0.0.0.0 > permit: PU.BL.IC.IP > secret: NULL > md5secret: NULL > remotesecret: NULL > transport: NULL > dtmfmode: NULL > directmedia: NULL > nat: force_rport,comedia > callgroup: NULL > pickupgroup: NULL > language: NULL > disallow: NULL > allow: NULL > insecure: NULL > trustrpid: NULL > progressinband: NULL > promiscredir: NULL > useclientcode: NULL > accountcode: NULL > setvar: NULL > callerid: NULL > amaflags: NULL > callcounter: NULL > busylevel: NULL > allowoverlap: NULL > allowsubscribe: NULL > videosupport: NULL > maxcallbitrate: NULL > rfc2833compensate: NULL > mailbox: NULL > session-timers: NULL > session-expires: NULL > session-minse: NULL > session-refresher: NULL > t38pt_usertpsource: NULL > regexten: NULL > fromdomain: testers.com > fromuser: 660 > qualify: NULL > defaultip: NULL > rtptimeout: NULL > rtpholdtimeout: NULL > sendrpid: NULL > outboundproxy: PU.BL.IC.IP > timert1: NULL > timerb: NULL > qualifyfreq: NULL > constantssrc: NULL > contactpermit: NULL > contactdeny: NULL > usereqphone: NULL > textsupport: NULL > faxdetect: NULL > buggymwi: NULL > auth: NULL > fullname: NULL > trunkname: NULL > cid_number: NULL > callingpres: NULL > mohinterpret: NULL > mohsuggest: NULL > parkinglot: NULL > hasvoicemail: NULL > subscribemwi: NULL > vmexten: NULL > autoframing: NULL > rtpkeepalive: NULL > call-limit: NULL > g726nonstandard: NULL > ignoresdpversion: NULL > allowtransfer: NULL > dynamic: NULL > path: NULL > supportpath: NULL > sippasswd: my-md5-pwd > rpid: NULL > domain: testers.com > sippasswd2: NULL > > > I'd greatly appreciate help on this! > > cheers, > Olli >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140801/e1309559/attachment.html>
Seemingly Similar Threads
- Letting rtp profiles be handled by rtpengine instead of Asterisk
- Inbound call from sip peer to internal webrtc peer fails while internal sip-webrtc calls work
- [webrtc] Received SAVPF profle in audio offer but AVPF is not enabled
- Asterisk removes ice lines in sdp when calling between webrtc clients
- From and To headers contain same account in INVITEs