Hi Richard and Alex,

Thank you very much for the information. In our Kamailio configuration the rtpengine_manage() lines have "SDES-off", so presumably then we are using DTLS?

Are either SDES or DTLS considered more secure or "better" in any way?


On Wed, 10 Apr 2024 at 10:32, Richard Fuchs via sr-users <sr-users@lists.kamailio.org> wrote:
On 09/04/2024 17.40, David Cunningham via sr-users wrote:
> How does rtpengine get the TLS certificates, and what crypto library
> does it use (openssl?).

SRTP itself doesn't use any certificates, and is not TLS. The underlying
cipher (AES) is provided by OpenSSL, while the SRTP implementation
itself is its own.

TLS and certificates are relevant when it comes to the key exchange.
With SDES, keys are exchanged in-line and nothing else is needed.

The other option is DTLS: Here a self-signed certificate is used
(generated at startup), and keys are exchanged using the DTLS
implementation provided by OpenSSL. The certificate's fingerprint is
exchanged in-line and that's how the peer's certificate is verified.
After the key exchange completes, the SRTP keys are extracted from the
handshake, DTLS is done, and the rest is just regular SRTP.

Cheers

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:


--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782