Compile Asterisk with CFLAGS='-DENABLE_SRTP_AES_256'
When sending an SIP INVITE Asterisk only offers the AES_CM_128_HMAC_SHA1_80 SDES SRTP crypto. Some VoIP clients does not accept this weak crypt anymore, eg Zoiper. And yet, Asterisk support many more ciphers including AES_256_CM_HMAC_SHA1_80. When accepting INVITEs Asterisk happily accepts the 256 cipers. To have Asterisk offering a list of cipers it needs to be complied with any combination of:
ENABLE_SRTP_AES_256 ENABLE_SRTP_AES_GCM ENABLE_SRTP_AES_192
The comment in the source code lines 1111 reads:
/* This array creates the following list:
* a=crypto:1 AES_CM_128_HMAC_SHA1_ ...
* a=crypto:2 AEAD_AES_128_GCM ...
* a=crypto:3 AES_256_CM_HMAC_SHA1_ ...
* a=crypto:4 AEAD_AES_256_GCM ...
* a=crypto:5 AES_192_CM_HMAC_SHA1_ ...
* something like 'AEAD_AES_192_GCM' is not specified by the RFCs
*
* If you want to prefer another crypto suite or you want to
* exclude a suite, change this array and recompile Asterisk.
* This list cannot be changed from rtp.conf because you should
* know what you are doing. Especially AES-192 and AES-GCM are
* broken in many VoIP clients, see
* https://github.com/cisco/libsrtp/pull/170
* https://github.com/cisco/libsrtp/pull/184
* Furthermore, AES-GCM uses a shorter crypto-suite string which
* causes Nokia phones based on Symbian/S60 to reject the whole
* INVITE with status 500, even if a matching suite was offered.
* AES-256 might just waste your processor cycles, especially if
* your TLS transport is not secured with equivalent grade, see
* https://security.stackexchange.com/q/61361
* Therefore, AES-128 was preferred here.
*
* If you want to enable one of those defines, please, go for
* CFLAGS='-DENABLE_SRTP_AES_GCM' ./configure && sudo make install
*/