Re: [asterisk-dev] Asterisk 18.16.0-rc1 Now Available
On 21.12.22 at 15:52 Fridrich Maximilian wrote: I got it working now with [...] That is excellent news! But the remaining useless headers in Invite should be removed before the final release. I think this should be part of the documentation. I'm not a maintainer but I think usually the documentation is kept quite general without describing specific use cases. The docs for the security_mechanisms parameter say "This is a comma-delimited list of security mechanisms to use. Each security mechanism must be in the form defined by RFC 3329 section 2.2." [1]. I think this should suffice. Sorry - I wasn't able to derive the options string needed *for your implementation* based on RFC 3329 section 2.2. For me it wasn't obvious, that the ';mediasec' has to be added (I would have expected, that this is done automatically if the first parameter is set to mediasec (security_negotiation=mediasec)) security_mechanisms=msrp-tls\;mediasec,sdes-srtp\;mediasec,dtls-srtp\;mediasec Therefore I still think this must be part of the documentation. What's wrong to provide an example for a (specific) use case? Why should it be secret? This way, users know, how the config option has to be used without long try and error to guess the correct syntax. Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
Re: [asterisk-dev] Asterisk 18.16.0-rc1 Now Available
> I got it working now with [...] That is excellent news! > I think this should be part of the documentation. I'm not a maintainer but I think usually the documentation is kept quite general without describing specific use cases. The docs for the security_mechanisms parameter say "This is a comma-delimited list of security mechanisms to use. Each security mechanism must be in the form defined by RFC 3329 section 2.2." [1]. I think this should suffice. > The Invite has to many headers Thank you, I will look into it. > I did not test options and reInvite. Did you test reInvites? I have tested OPTIONS and in my current setup I have only tested re-INVITES on outgoing calls from the caller. Best, Max [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+18+Configuration_res_pjsip#Asterisk18Configuration_res_pjsip-endpoint_security_mechanisms -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
Re: [asterisk-dev] Asterisk 18.16.0-rc1 Now Available
On 21.12.22 at 09:17 Michael Maier wrote: On 21.12.22 at 08:21 Fridrich Maximilian wrote: Security-Client: sdes-srtp;mediasec ^ The ",mediasec" is missing. Yes, the security_mechanisms option is a comma separated list of the literal security_mechanisms that should be used. I.e. you have to specify security_mechanisms=sdes-srtp\;mediasec,dtls-srtp\;mediasec (don't forget to escape the semicolon). I got it working now with (order has been important if I remember correctly) security_mechanisms=msrp-tls\;mediasec,sdes-srtp\;mediasec,dtls-srtp\;mediasec I think this should be part of the documentation. But: The Invite has to many headers - those are not needed (or is it Telekom specific?): Security-Client: msrp-tls;mediasec Security-Client: sdes-srtp;mediasec Security-Client: dtls-srtp;mediasec Maybe remove them? Just detected some more eventually unneeded headers in Invite: Require: mediasec Proxy-Require: mediasec Those three headers in Invite seem to be enough (besides the a=3ge2ae:requested in SDP) - couldn't see any problem during ~ 3 years until now. Security-Verify: msrp-tls;mediasec Security-Verify: sdes-srtp;mediasec Security-Verify: dtls-srtp;mediasec Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
Re: [asterisk-dev] Asterisk 18.16.0-rc1 Now Available
On 21.12.22 at 08:21 Fridrich Maximilian wrote: Security-Client: sdes-srtp;mediasec ^ The ",mediasec" is missing. Yes, the security_mechanisms option is a comma separated list of the literal security_mechanisms that should be used. I.e. you have to specify security_mechanisms=sdes-srtp\;mediasec,dtls-srtp\;mediasec (don't forget to escape the semicolon). I got it working now with (order has been important if I remember correctly) security_mechanisms=msrp-tls\;mediasec,sdes-srtp\;mediasec,dtls-srtp\;mediasec I think this should be part of the documentation. But: The Invite has to many headers - those are not needed (or is it Telekom specific?): Security-Client: msrp-tls;mediasec Security-Client: sdes-srtp;mediasec Security-Client: dtls-srtp;mediasec Maybe remove them? always the first entry of the list configured above is dropped in the following register request. Is this fixed by your mentioned patch below? I could not reproduce this behavior. I just tested it with the current patch and no list entries were dropped. Yes - the current version including your additional patch doesn't show this behavior any more. I think the different headers are not addressed? Do you mean the missing ";mediasec" values? That is due to the configuration, as stated above. Besides that, I'm quite confident it behaves as intended, we have been running test systems for quite a while now. I hope we can resolve your issues, it would certainly be desirable if this patch worked for more than just very specific Telekom servers. Yes - that would be very good! Please think about documentation using some practical examples to get a working connection! I tested inbound and outbound calls. I did not test options and reInvite. Did you test reInvites? Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
