Telephone rejects RTP/SAVP calls with TLS enabled about telephone HOT 9 CLOSED

Yeah, that's weird. What you're expecting is exactly how I designed it to work. If TLS is enabled as transport, SRTP is mandatory. It is mandatory in both directions and last time I checked, it worked like this, also for incoming calls.

Can I see the full debug log from Telephone? Just to make sure we didn't miss anything. And to have a full picture from the app's perspective. You can send it to the support email address from the website.

from telephone.

To generate a debug log, you can start Telephone from the command line like this:

/Applications/Telephone.app/Contents/MacOS/Telephone -LogLevel 6 -ConsoleLogLevel 6

It will write both to the standard output and to the Telephone.log file that you can reveal via the Help menu. Note that the log file is incomplete until you quit the app.

from telephone.

Thanks for the quick response. I've just sent an email to support containing a Nextcloud link to access the logs.

from telephone.

Thanks. I see that Asterisk is sending AVP and not SAVP in the INVITE.

m=audio 10090 RTP/AVP 8 9 107 0 101

So the behavior when Telephone rejects this because SRTP is mandatory is the expected behavior.

What about the media_encryption setting in Asterisk? Maybe setting it to sdes would be the same thing that Telephone has internally as PJMEDIA_SRTP_MANDATORY?

from telephone.

I suspect that Asterisk's media_encryption_optimistic is PJSIP's PJMEDIA_SRTP_OPTIONAL.

from telephone.

Yes, I've just realised the behaviour is the opposite to what I stated in my original post!

As you say, with media_encryption_optimistic = no Asterisk is sending:

m=audio 10126 RTP/SAVP 8 9 107 0 101

and with media_encryption_optimistic = yes, it sends:

m=audio 10008 RTP/AVP 8 9 107 0 101

This seems completely counter intuitive to me based on the Asterisk documentation. In any case, it's not a Telephone issue but an Asterisk issue.

Please accept my apologies for wasting your time!

Edit: I got the no/yes lines the wrong way round (again!)

from telephone.

I think it stems from the PJSIP behavior and yes, it is confusing. And Asterisk even made two separate settings from this which probably doesn't make it easier. It seems like the proper combination for what we want is:

media_encryption enabled (sdes)
media_encryption_optimistic disabled, meaning it's mandatory

from telephone.

Yes, it looks like you're correct:

	/* If an optimistic offer has been made but encryption is not enabled consider it as having
	 * no offer of crypto at all instead of invalid so the session proceeds.
	 */
	if (optimistic) {
		return AST_SIP_MEDIA_ENCRYPT_NONE;
	}

So by enabling this option I've explicitly made all my communications less secure 🤦

Closing this now, again thanks for your help and apologies for wasting your time.

from telephone.

No worries, it's good that it came up now, I'll be more prepared in the future.

from telephone.