[SR-Users] Reject tls invites without a=crypto sdp

Karsten Horsmann khorsmann at gmail.com
Mon Dec 16 12:56:02 CET 2019


Hi David and List,

i end up with an route like this:

route[CHECK_CRYPTO] {
        if ( has_body("application/sdp") && $proto =~ "tls" ) {
            if ( !search_body("a=crypto") ) {
                xlog("[CHECK_ACRYPTO] IP not sending crypto Src: [$si] to
IP:[$Ri]:[$Rp] \n");
                append_to_reply("P-SBC-Error: SdpParsingFailure\r\n");
                sl_send_reply("488", "Not Acceptable Here");
                exit;
            }
        }
        return;
}

that i call from my invite checking block.

Cheers
Karsten

Am Sa., 14. Dez. 2019 um 14:54 Uhr schrieb David Villasmil <
david.villasmil.work at gmail.com>:

> Sure, only if it's tls ;)
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
>
> On Sat, Dec 14, 2019 at 11:12 AM Karsten Horsmann <khorsmann at gmail.com>
> wrote:
>
>> Hi David,
>>
>> That's looks good. It's a bit to greedy cos I translate SRTP from
>> internet to RTP to inside.
>>
>> Maybe an AND with
>>
>> If proto==TLS would be an good idea.
>>
>> Cheers.
>> Karsten
>>
>> David Villasmil <david.villasmil.work at gmail.com> schrieb am Sa., 14.
>> Dez. 2019, 11:35:
>>
>>> Well, you could simply use
>>>
>>>
>>> if ( has_body("application/sdp") ) {
>>>   if ( !search_body("a=crypto") ) {
>>>     ... reject here ...
>>>   }
>>> }
>>>
>>> though there's probably a better way...
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> phone: +34669448337
>>>
>>>
>>> On Sat, Dec 14, 2019 at 8:20 AM Karsten Horsmann <khorsmann at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I use Kamailio 5.3.1 with rtpengine to offer an siptrunk endpoint for
>>>> my customers.
>>>>
>>>> I observe that someone of them use tls to encrypt signaling but
>>>> forgotten to encrypt rtp.
>>>>
>>>> I want to reject this invites.
>>>>
>>>> Are there any hints how to do this?
>>>>
>>>> Thought about reading the sdp and search for a=crypto line and if not
>>>> send reply with (what code ever will be good for that).
>>>>
>>>> Cheers
>>>> Karsten
>>>> _______________________________________________
>>>> Kamailio (SER) - Users Mailing List
>>>> sr-users at lists.kamailio.org
>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>


-- 
Mit freundlichen Grüßen
*Karsten Horsmann*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191216/58efbf58/attachment.html>


More information about the sr-users mailing list