Reference11r1:Concept DTLS-SRTP
Applies To
This information applies to
- all innovaphone devices from v11r1 RC2
Overview
Protocol flow
Configuration
Priority of SDES and DTLS-SRTP
If nothing is configured, the device offers both SDES and DTLS-SRTP for outgoing calls. For incoming calls it selects SDES if offered. Otherwise it selects DTLS-SRTP or unencrypted RTP, as a fallback. This allows for compatibility with most endpoints.
The admin can change that behaviour at the configuration of the registration. There the key exchange mechanisms (SDES, DTLS-SRTP) and their priority can be selected. For example on phones this is can be done on page Phone/User/General. Please consult the help pages for details.
Certificates
No special configuration is needed regarding certificates. DTLS-SRTP does not require endpoints to have the certificate of the remote endpoint in the trust list. Also it doen't check the names inside certificates.
Disabling DTLS-SRTP
For debugging purposes there are config options at the signalling modules that globally turn DTLS-SRTP off. Normally this should not be needed.
config add H323 /dtls-disabled config add SIP /dtls-disabled config add TSIP /dtls-disabled config add SIPS /dtls-disabled
Tracing
Activation
Traces for debugging DTLS-SRTP can be activated at the signalling module. The trace flags are also available on the debug.xml page.
config add H323 /dtls-trace on config add SIP /dtls-trace on config add TSIP /dtls-trace on config add SIPS /dtls-trace on
Reading traces
Known limitations
References
- RFC5764 - Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)